CVE-2025-62095

Vulnerability

Overview

The Bootstrap Modals plugin for WordPress (versions up to and including 1.3.2) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into modal content that is later rendered to site visitors.

Exploitation

Details

Exploitation requires a privileged user (e.g., an editor or administrator) to perform an action such as clicking a malicious link or submitting a crafted form [1]. Once triggered the injected script is stored on the server and executed in the browsers of other users who view the affected page. No special network position is needed beyond standard web access.

Impact

A successful attack can lead to script execution enabling malicious activities such as redirecting visitors to attacker-controlled sites displaying unwanted advertisements or stealing session cookies [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Mitigation

The vendor has not released a patched version beyond 1.3.2; users are strongly advised to update the plugin immediately if a fix becomes available [1]. As an interim measure contact your hosting provider or web developer for assistance [1].