CVE-2025-62043

The WPCasa plugin for WordPress versions up to and including 1.4.1 contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This issue arises from insufficient sanitization of user-supplied data that is later processed by client-side scripts, allowing attackers to inject malicious JavaScript into the DOM of a victim's browser. The vulnerability is classified as medium severity with a CVSS v3 score of 6.5 [1].

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially designed page, and may involve a privileged user action to trigger the payload. An attacker with low privileges can initiate the attack, but successful exploitation depends on a victim (e.g., an administrator) performing an action like clicking a malicious link. This makes the attack vector feasible for phishing campaigns or supply chain attacks [1].

If exploited, an attacker could inject arbitrary scripts into the affected website, leading to actions such as redirecting visitors to malicious sites, displaying advertisements, or stealing sensitive information. The injected script executes in the context of the victim's browser, potentially compromising user sessions or altering page content [1].

The vulnerability is resolved in version 1.4.2 of the WPCasa plugin. Users are strongly advised to update immediately to mitigate the risk. For those unable to update, alternative measures such as consulting a hosting provider or web developer are recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].