CVE-2025-62127

Vulnerability

Overview CVE-2025-62127 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the WEN Logo Slider plugin for WordPress, affecting versions up to and including 3.4.0. The root cause is improper neutralization of user input during web page generation, allowing attackers to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Requirements Exploitation requires user interaction, such as a privileged administrator clicking a malicious link or visiting a crafted page. The attacker does not need direct access to the site but relies on tricking a user with sufficient privileges to trigger the payload [1].

Impact

Successful exploitation enables an attacker to execute malicious scripts in the context of the victim's session. This can lead to redirection to malicious sites, display of unauthorized advertisements, or theft of sensitive information. The vulnerability is considered medium severity with a CVSS v3 score of 5.9 [1].

Mitigation

The vulnerability is patched in version 3.5. Users are strongly advised to update the plugin immediately. For Patchstack users, auto-updates can be enabled. As a temporary workaround, if unable to update, consult your hosting provider or web developer for assistance [1].