CVE-2025-62119

The Add Featured Image Custom Link plugin for WordPress (versions <= 2.0.0) suffers from a DOM-based Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly neutralize input during web page generation, enabling an attacker to inject malicious scripts that execute in the browser of a visiting user.[1]

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a crafted link or visiting a specially prepared page. The attack is DOM-based, meaning the payload manipulates the Document Object Model on the client side without needing server-side reflection.[1]

A successful attack allows the injection of arbitrary HTML and JavaScript, which can be used to redirect visitors, display unwanted advertisements, steal session cookies, or deface the site. The CVSS score of 5.9 reflects a medium severity, but the potential for mass exploitation in automated campaigns is significant.[1]

Users are strongly advised to update the plugin to the latest available version as soon as possible. If an update is not yet available, consider temporarily deactivating the plugin or applying a virtual patch via a web application firewall. Hosting providers or web developers can assist with immediate mitigation steps.[1]