CVE-2025-62963

Vulnerability

Overview

The Estatik WordPress plugin, versions up to and including 4.3.1, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript or HTML payloads that execute in the context of a victim's browser.

Exploitation

Details

Exploitation requires user interaction — a privileged user (such as an administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. The attack is DOM-based, meaning the payload is processed client-side without server-side sanitization. This vulnerability is actively used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying unauthorized advertisements, or stealing session hijacking, or stealing sensitive data [1]. The CVSS v3 base score is 6.5 (Medium), reflecting the need for user interaction but the potential for significant impact on site integrity and visitor trust.

Mitigation

Users are strongly advised to update the Estatik plugin to a patched version immediately [1]. If an update is not available, site administrators should contact their hosting provider or web developer for assistance. As a temporary workaround, consider disabling the plugin until a fix is applied.