CVE-2025-62911

Vulnerability

Analysis

The Rock Convert plugin for WordPress, versions through 3.0.1, contains a stored cross-site scripting (XSS) vulnerability [1]. The issue stems from improper neutralization of user-supplied input during web page generation. This allows an authenticated user with low-level privileges to inject arbitrary JavaScript or HTML into pages that will later be served to other visitors [1].

Exploitation

To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site. The stored XSS script is triggered when a privileged user (such as an administrator) performs an action on a crafted page, typically by visiting the affected page or clicking a malicious link embedded in the content [1]. No additional authentication bypass is needed beyond the initial low-privilege account.

Impact

Successful exploitation enables the attacker to execute malicious scripts in the context of the administrator's session. This can lead to session hijacking, forced redirects to malicious sites, injection of unwanted advertisements, or other actions that compromise the integrity and confidentiality of the website and its visitors [1]. The vulnerability is actively used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vulnerability is present in all versions of Rock Convert from n/a through 3.0.1. Users are strongly advised to update the plugin to the latest patched version as soon as possible. If an update is not available or cannot be applied immediately, site administrators should consider temporarily disabling the plugin or implementing a web application firewall rule to block XSS payloads [1].