CVE-2025-62074

Vulnerability

Summary The WPMobile.App plugin for WordPress, developed by Amauri, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw affects all versions from n/a through 11.71 and is assigned CVE-2025-62074 with a CVSS v3 score of 7.1 (High) [1].

Exploitation

Method To exploit this vulnerability, an attacker must have a privileged user role (such as administrator or editor) that can submit or modify content within the plugin's interface. Successful exploitation requires user interaction—specifically, a privileged user must click a malicious link, visit a crafted page, or submit a specially crafted form [1]. The vulnerability can be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of their size or popularity.

Impact

The vulnerability allows an attacker to inject arbitrary HTML and JavaScript payloads. When executed, these scripts can perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive session data [1]. This stored XSS attack can affect all website visitors and potentially compromise the integrity and trustworthiness of the affected site.

Mitigation and

Patches Patchstack has released a mitigation rule to block attacks until a fix is applied. The vendor has addressed the vulnerability in version 11.72 of the plugin. Users are strongly advised to update to version 11.72 or later immediately. If unable to update, users should consult their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins to ensure continuous protection [1].