CVE-2025-62742

Root

Cause

CVE-2025-62742 describes a Stored Cross-Site Scripting (XSS) vulnerability found in the Curator.io WordPress plugin, versions *1.9.5 and earlier* (up to n/a). The plugin fails to properly neutralize user-supplied input during web page generation. This improper neutralization allows a privilege user (e.g., a contributor or higher) to inject malicious scripts that are stored on the server and later executed in the browsers of other users visiting the affected pages [1].

Exploitation

To exploit this vulnerability, an attacker must first have an authenticated account with sufficient privileges to add or edit content that utilizes the Curator.io plugin. The attack vector is Network and requires Low attack complexity. The user interaction required is actually on the part of the victim — a privileged user must perform an action (such as clicking a link or submitting a form) that triggers the stored payload. Once the malicious script is embedded, it will execute automatically for any guest or other user viewing the page [1].

Impact

Successful exploitation could allow the attacker to inject arbitrary HTML and JavaScript, leading to redirects, unwanted advertisements, content defacement, or theft of sensitive information such as session tokens. The CVSS v3 base score is 6.5 (Medium), indicating significant potential for harm, particularly in mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Mitigation

The vendor has released version 1.9.6 which resolves the vulnerability. Users are strongly advised to update immediately, or to enable auto-updates if using Patchstack. There is no workaround described for users who cannot upgrade [1].

As of the publication date, this issue is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but the advisory notes that similar XSS flaws are frequently used in mass attacks.