CVE-2025-62943

The Next Page, Not Next Post WordPress plugin (versions 0.3.0 and earlier) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors.

Exploitation requires a user with at least contributor-level privileges to submit crafted input through the plugin's interface; no additional authentication is needed beyond the WordPress user role [1]. The injected payload persists in the database and triggers automatically when any user (including site administrators) views the affected page.

Successful exploitation allows an attacker to perform actions such as redirecting visitors to malicious sites, displaying advertisements, or stealing session cookies [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously.

As of the publication date, no patched version has been released; users are advised to disable the plugin or apply a web application firewall rule to mitigate the risk [1]. Site administrators should also review user roles and limit contributor access where possible.