CVE-2025-62899

Vulnerability

Overview

CVE-2025-62899 is a stored cross-site scripting (XSS) vulnerability in the Photospace Responsive plugin for WordPress, affecting versions through 2.2.0. The plugin fails to properly neutralize user input during web page generation, allowing malicious users with sufficient privileges to inject arbitrary HTML and JavaScript. This type of vulnerability is often exploited in mass campaigns targeting thousands of websites [1].

Exploitation

Details

Exploitation requires a privileged user (e.g., Contributor or Author) to submit crafted input that is stored on the server. When administrative or other users visit the affected page, the injected script executes in their browsers. No additional user interaction beyond normal page viewing is needed for the stored script to trigger, but the initial injection necessitates a privileged account [1].

Impact

An attacker can inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when any guest visits the site. This can lead to data theft, session hijacking, defacement, or distribution of malware, compromising site integrity and user trust [1].

Mitigation

The vendor has not released a patched version as of the disclosure date. Users are strongly advised to update the plugin immediately if a fix becomes available. As a workaround, consider restricting user roles with posting capabilities or using a web application firewall (WAF) to block malicious payloads. Given that this vulnerability is suitable for mass exploitation, prompt action is recommended [1].