CVE-2025-49392: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Themify Audio Dock WordPress plugin, identified as CVE-2025-49392. The vulnerability affects versions up to and including 2.0.5, and was disclosed on August 20, 2025. The issue stems from insufficient input sanitization and output escaping in the plugin (Rapid7, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The issue specifically affects multi-site installations and installations where unfiltered_html has been disabled (Rapid7).

When exploited, this vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. The impact includes potential data exposure, session hijacking, or other malicious actions performed in the context of the victim's browser (Rapid7, Patchstack).

The vulnerability has been patched in version 2.0.6 of the Themify Audio Dock plugin. Users are advised to update to this version or later to remediate the security issue. The fix addresses the input sanitization and output escaping mechanisms that were previously insufficient (Patchstack).