CVE-2025-62907

The WordPress Custom Post Type Attachment plugin (versions up to and including 3.4.6) suffers from a vulnerability where user-supplied input is not properly neutralized during web page generation. This leads to a Stored Cross-Site Scripting (XSS) condition [1].

Attackers with contributor-level access or higher can inject arbitrary JavaScript into posts or pages that use the plugin's custom post type attachment functionality. The injected script persists in the database and automatically executes when any visitor views the affected page. No additional user interaction is required beyond the initial injection [1].

Successful exploitation allows an attacker to perform actions such as redirecting victims to malicious sites, injecting ads or phishing forms, or stealing session cookies and other sensitive data. Because the attack is stored, it can affect every visitor who loads the compromised content [1].

The vulnerability is present in all versions up to 3.4.6. Users are strongly advised to update the plugin immediately. As a temporary mitigation, restrict contributor roles and review any custom post type attachment inputs for malicious content [1].