CVE-2025-62761

Vulnerability

Overview

CVE-2025-62761 is a stored cross-site scripting (XSS) vulnerability found in the BasePress Knowledge Base documentation & wiki plugin for WordPress, affecting versions from n/a through 2.17.0.1. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and store arbitrary HTML or JavaScript payloads within the plugin's content [1].

Exploitation

Prerequisites

Exploitation requires a privileged user (e.g., an editor or administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. The vulnerability is classified as medium severity (CVSS v3 base score 6.5) and is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

A successful attack enables a malicious actor to inject scripts that execute when other visitors' browsers. This can lead to redirects, display of advertisements, or other HTML payloads, potentially compromising the integrity of the site and its users [1].

Mitigation

The vendor has released version 2.17.0.2 to address the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].