CVE-2025-49892: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Pending Order Bot plugin affecting versions through 1.0.2. The vulnerability was identified on June 26, 2025, and publicly disclosed on August 17, 2025. This security issue affects the badasswp Pending Order Bot WordPress plugin (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, allowing for Stored XSS attacks. The issue has been assigned a CVSS v3.1 score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires high privileges and user interaction to exploit, but can be accessed remotely (NVD).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue affects versions up to and including 1.0.2 of the Pending Order Bot plugin (Patchstack).