CVE-2025-62926

Vulnerability

Overview CVE-2025-62926 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin TempTool [Show Current Template Info] (plugin slug: current-template-name), affecting all versions up to and including 1.3.1. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the plugin's output [1].

Exploitation

Conditions To exploit this vulnerability, an attacker must have a privileged user role (e.g., administrator) that can interact with the plugin's settings or template display functionality. The attack requires user interaction—such as clicking a malicious link or submitting a crafted form—to trigger the stored payload. Once stored, the injected script executes in the context of any visitor's browser when they view of the affected page [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying unwanted advertisements, or stealing session cookies. This can lead to defacement, phishing, or further compromise of the WordPress site and its users [1].

Mitigation

The vulnerability has been patched in version 1.3.2 or later. Users are strongly advised to update the plugin immediately. If updating is not possible, site administrators should consider disabling the plugin or implementing a web application firewall (WAF) rule to block XSS payloads. The vulnerability is considered medium severity (CVSS 6.5, Medium) and is known to be used in mass-exploit campaigns [1].