CVE-2025-49048: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Inspectlet – User Session Recording and Heatmaps WordPress plugin, versions up to 2.0. The vulnerability was discovered by Nabil Irawan and was officially disclosed on August 14, 2025. This security issue has been assigned CVE-2025-49048 and affects the plugin's web page generation functionality (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It has received a CVSS v3.1 base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit (Patchstack, NVD).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

Currently, there is no official fix available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. Users are strongly advised to remove and replace the plugin with an alternative solution (Patchstack).