CVE-2025-62937

Vulnerability

Overview

CVE-2025-62937 describes a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Post List Featured Image, affecting versions from n/a up to and including 0.5.9. The root cause is improper neutralization of user-supplied input during web page generation, allowing injection of arbitrary JavaScript into the plugin's output. [1]

Exploitation

Details

To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site, as the malicious input is stored and later displayed without sanitization. Successful exploitation requires an administrator or other privileged user to visit the affected page, at which point the injected script executes in their browser. This user interaction is necessary for the attack to succeed. [1]

Impact

If exploited, an attacker can inject arbitrary HTML and JavaScript payloads, including redirects, advertisements, and other malicious content. This can lead to website defacement, theft of session cookies, credential harvesting, and other forms of client-side attacks. The vulnerability is considered a mass-exploitation target, meaning attackers may attempt to compromise thousands of sites simultaneously. [1]

Mitigation

Users are strongly advised to update the Post List Featured Image plugin to a patched version (beyond 0.5.9) as soon as possible. If an update is not available, consider disabling the plugin or seeking assistance from a hosting provider or web developer. [1]