CVE-2025-62967

The DirectoryPress plugin for WordPress versions 3.6.25 and earlier contains a DOM-based Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of user input during web page generation [1]. This flaw arises because the plugin fails to sanitize or encode certain data before including it in the Document Object Model (DOM) of the page, enabling an attacker to inject malicious scripts that execute in the context of the victim's browser.

To exploit this vulnerability, an attacker must be able to deliver crafted input to a page that processes it unsafely within the DOM. While no authentication is explicitly required to trigger the injection, successful exploitation depends on user interaction—a privileged user (such as an administrator) must click a malicious link, visit a specially crafted page, or submit a form that leads to script execution [1]. This makes the attack vector reliant on social engineering or other means to lure the target.

Successful exploitation could allow an attacker to inject arbitrary HTML and JavaScript, leading to actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information like session cookies [1]. The CVSS v3 base score of 6.5 reflects the medium severity of this vulnerability, with attack complexity high and privileges required low.

The vendor has released version 3.6.26 to address the issue; users are strongly advised to update immediately. For those unable to update, enabling auto-updates for vulnerable plugins via a security plugin like Patchstack can help mitigate risk [1]. As of the publication date, no evidence of mass exploitation has been reported.