CVE-2025-62901

Vulnerability

Overview The WP Microdata plugin for WordPress, versions up to and including 1.0, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the plugin's output, which is then stored and executed when other users visit the affected page.

Exploitation

Conditions Exploitation requires a privileged user (e.g., an editor or administrator) to perform an action such as clicking a malicious link or visiting a crafted page [1]. The attacker does not need direct access to the site but can deliver the payload through social engineering or by compromising a lower-privileged account. Once the script is stored, any visitor to the compromised page will execute the injected code.

Impact

Successful exploitation enables an attacker to inject malicious scripts that can perform redirects, display advertisements, steal session cookies, or deface the website. This vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Mitigation

The vendor has not released a patched version; users are advised to update the plugin immediately if a fix becomes available. If updating is not possible, contact your hosting provider or web developer for assistance. The CVSS score of 6.5 (Medium) reflects the need for user interaction and the potential for widespread impact potential [1].