CVE-2025-62051

Vulnerability

Overview CVE-2025-62051 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin UDesign Core, affecting versions up to and including 4.14.1. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject malicious script injection into pages served to other users [1].

Exploitation

Conditions Exploitation requires an authenticated user with at least contributor-level privileges to inject the payload. However, successful execution also depends on another privileged user (e.g., administrator) performing an action such as clicking a crafted link or visiting a page containing the injected script. This user interaction is necessary for the attack to succeed [1].

Impact

If exploited, an attacker can inject arbitrary HTML and JavaScript, leading to redirects, unwanted advertisements, or other malicious payloads that execute in the browsers of visitors. This can compromise site integrity and user trust, though the CVSS score of 6.5 (Medium) reflects the need for user interaction and authenticated access [1].

Mitigation

The vendor has released version 4.14.2 which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].