CVE-2025-62982

Root

Cause

The Dynamic User Directory WordPress plugin versions up to and including 2.3 fail to properly neutralize user input during web page generation. This improper neutralization leads to a stored cross-site scripting (XSS) vulnerability [1]. The flaw is classified as CWE-79 and has been assigned a CVSS v3 score of 5.9 (Medium) [1].

Exploitation

To exploit this vulnerability, an attacker needs a privileged user role (such as an editor or administrator) to inject malicious scripts into the plugin's input fields. The injected payload is then stored on the server. Successful exploitation requires another privileged user (e.g., an admin) to perform an action such as visiting a crafted page or clicking a malicious link, which triggers the execution of the stored script [1].

Impact

An attacker can inject arbitrary JavaScript, HTML, or other web scripts into pages generated by the plugin. When other users (including site visitors) load the affected page, the malicious script executes in their browser. This can be used to redirect users to phishing sites, display unwanted advertisements, steal session cookies, or perform other actions within the context of the victim's session [1].

Mitigation

The vulnerability has been fixed in version 2.4 of the plugin. Users are strongly advised to update immediately. Those unable to update should contact their hosting provider or a web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].