CVE-2025-62939

Vulnerability

Overview

The Open Currency Converter plugin for WordPress (versions up to and including 1.5.0) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means that input provided by an attacker is not properly sanitized before being stored and later displayed to other users, allowing arbitrary HTML and JavaScript to be injected into the site.

Exploitation

Details

Exploitation requires a privileged user (such as an administrator) to perform an action—for example, clicking a malicious link, visiting a crafted page, or submitting a form [1]. The attacker does not need direct access to the site but must convince a user with the necessary privileges to interact with the malicious payload. Once the payload is stored, it will be executed in the browsers of visitors who view the affected page.

Impact

A successful attack allows the attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into the website [1]. These scripts execute when guests visit the site, potentially leading to data theft, defacement, or further compromise of the site and its users.

Mitigation

The vulnerability has been patched in versions after 1.5.0. Users are strongly advised to update the plugin immediately [1]. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended. No workaround is currently available.