CVE-2025-49437: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability has been identified in worstguy's WP LOL Rotation WordPress plugin, tracked as CVE-2025-49437. The vulnerability affects all versions through 1.0 of the plugin. The issue was discovered by Chu The Anh (Blue Rock) and was publicly disclosed on July 29, 2025 (Patchstack).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) that allows for improper neutralization of input during web page generation. The vulnerability has received a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, requires low attack complexity, low privileges, and user interaction (NVD).

This vulnerability could enable malicious actors to inject malicious scripts into the website, potentially leading to redirects, unauthorized advertisements, and execution of other HTML payloads when visitors access the affected site. The impact affects confidentiality, integrity, and availability at a low level (Patchstack).

Currently, there is no official fix available for this vulnerability. Website administrators using the affected plugin should consider implementing additional security controls or removing the plugin until a patch becomes available (Patchstack).