CVE-2025-62752

Vulnerability

Overview

CVE-2025-62752 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the Kalender.digital WordPress plugin, affecting versions from n/a through 1.0.13. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Details

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The vulnerability can be initiated by a privileged user-initiated, meaning a user with certain roles may trigger the payload. Once triggered, the injected script executes in the context is executed within the victim's browser session [1].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the affected site. This can lead to redirects, injection of advertisements, or other HTML payloads that execute when visitors access the site. The CVSS v3 base score is 6.5 (Medium), indicating moderate severity [1].

Mitigation

The vendor has released version 1.0.14, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].