CVE-2025-62913

Vulnerability

Overview

The Opal Service plugin for WordPress, versions up to and including 1.9.1, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated user with contributor-level privileges or higher to inject arbitrary JavaScript or HTML into the plugin's output, which is then stored and executed when other users (including site visitors) view the affected page [1].

Exploitation

Prerequisites

Exploitation requires an attacker to have at least a have a WordPress user account with at least the Contributor role, enabling them to create or edit posts using the Opal Service plugin's functionality [1]. The attacker then crafts a malicious payload (e.g., JavaScript code) and submits it through an input field that is not properly sanitized. The payload is stored in the database and later rendered without further validation, it is rendered in the browser of any user who visits the compromised page [1]. No additional user interaction is needed for the stored script to execute on the victim's browser, though the initial injection requires the attacker to have the necessary privileges [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session [1]. This can be used to steal session cookies, redirect users to malicious sites, deface the website, or perform other actions that the victim can perform on the site. The vulnerability is rated with a CVSS v3 score of 6.5 (Medium) and is known to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version at the time of this writing; users are advised to update the plugin as soon as a fix becomes available [1]. As an immediate workaround, site administrators should restrict contributor-level access to trusted users only, or consider disabling the plugin until a patch is applied [1].