CVE-2025-62125

The Custom Background Changer plugin for WordPress, versions up to and including 3.0, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows an attacker with sufficient privileges to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users visit affected pages [1].

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or submitting a crafted form. Once triggered, the injected script is stored and will execute in the browsers of visitors to the site, without requiring further interaction from the victim [1].

Successful exploitation could allow an attacker to perform actions such as redirecting visitors to malicious sites, displaying advertisements, or stealing session cookies. This could lead to further compromise of the WordPress site and its users [1].

As of the publication date, the vendor has not released a patched version. Users are advised to update the plugin immediately if a fix becomes available, or to contact their hosting provider for assistance. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].