CVE-2025-62968

Vulnerability

Overview

CVE-2025-62968 affects the WP Last Modified Info plugin for WordPress, versions up to and including 1.9.2. The vulnerability is a Stored Cross-Site Scripting (XSS) caused by improper neutralization of user-supplied input during web page generation. This allows an attacker to inject arbitrary JavaScript or HTML that becomes part of the saved content, executing in the context of other users' browsers [1].

Exploitation

Details

To exploit this vulnerability, an attacker must have a role with the capability to save or update post metadata—typically authors, editors, or administrators. The attack does not require direct user interaction from the victim; the injected script executes automatically when a visitor loads a page containing the malicious content. The CVSS v3 score is 6.5 (Medium), indicating moderate impact with some user interaction requirements, though successful exploitation can lead to wider compromise [1].

Impact

If exploited, an attacker can inject malicious scripts such as redirects, advertisements, or other HTML payloads into affected WordPress sites. When site visitors view posts or pages where the vulnerability is triggered, the script executes, potentially leading to session hijacking, credential theft, or defacement. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Mitigation

The vulnerability is remediated in version 1.9.3 of the WP Last Modified Info plugin. All users are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. There is no workaround available aside from updating or removing the plugin [1].