CVE-2025-62987

Vulnerability

CVE-2025-62987 is a Stored Cross-Site Scripting (XSS) vulnerability in the Builderall Builder for WordPress plugin (builderall-cheetah-for-wp), affecting versions up to and including 3.0.1 [1]. The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious script content to be permanently stored on the server and executed in the context of a visitor's browser [1].

Exploitation

Exploitation requires a privileged user role that can submit or save content through the plugin's interface; however, the attack is initiated when an unsuspecting victim — typically a site visitor — performs an action such as clicking a malicious link or visiting a crafted page [1]. This user interaction triggers the stored payload, which runs in the visitor's browser session [1].

Impact

A successful attack allows an adversary to inject arbitrary HTML and JavaScript payloads into the website, including redirects, advertisements, or other malicious scripts [1]. These payloads execute whenever a guest visits the affected site, making the vulnerability suitable for mass-exploit campaigns targeting large numbers of WordPress installations regardless of site popularity [1].

Mitigation

The vendor has released a fix; users are strongly advised to update the plugin to a patched version immediately [1]. If immediate updating is not possible, administrators should contact their hosting provider or web developer for interim protection measures [1]. This vulnerability has a CVSS v3 base score of 6.5 (Medium) and requires user interaction to be exploited [1].