CVE-2025-62900

The Popular Posts by Webline plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw affects versions up to and including 1.1.1 and allows malicious scripts to be stored on the server and executed when users visit affected pages [1].

Exploitation requires an authenticated user with at least author-level privileges to inject the payload, as the plugin does not sanitize or escape input properly. However, successful exploitation does not require direct interaction from non-privileged users; once stored, the script executes automatically for any visitor viewing the compromised content [1].

An attacker can leverage this vulnerability to execute arbitrary JavaScript in the context of a visitor's browser, potentially leading to session hijacking, defacement, phishing, or redirection to malicious sites. The vulnerability is rated Medium with a CVSS v3 score of 6.5, reflecting the need for some level of privilege and user interaction [1].

The vendor has addressed the issue in a subsequent release; users are strongly advised to update the plugin to the latest available version. For those unable to update immediately, consider restricting author-level access or disabling the plugin until a patch can be applied [1].