CVE-2025-62940

An Improper Neutralization of Input During Web Page Generation vulnerability (Stored Cross-Site Scripting) exists in the WordPress plugin Blox Lite versions up to and including 1.2.8 [1]. The root cause is insufficient sanitization of user-supplied input that is later stored and displayed on web pages, allowing arbitrary HTML and JavaScript to be injected [1].

Exploitation requires a privileged user, such as an editor or administrator, to provide crafted input that is saved to the database [1]. No additional authentication is needed for the stored payload to trigger; it executes when any visitor loads the compromised page. The attack surface is broad because the plugin is widely deployed and such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of websites regardless of their size [1].

A successful attack enables a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which run in the browsers of site visitors [1]. This can lead to defacement, credential theft, or malware distribution, leveraging the trust users place in the compromised site.

The vendor and security researchers recommend updating the Blox Lite plugin to a patched version as an immediate mitigation [1]. If an update is not possible, site administrators should consult their hosting provider or web developer for additional temporary hardening measures. The vulnerability has a CVSS v3 base score of 6.5 (Medium) and does not appear on the CISA Known Exploited Vulnerabilities (KEV) list as of publication [1].