CVE-2025-62989

Vulnerability

Overview

CVE-2025-62989 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Cooked, affecting versions up to and including 1.11.3. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary HTML and store arbitrary JavaScript or HTML payloads within the application [1].

Exploitation

To exploit this vulnerability, an attacker must have a privileged user role (such as a contributor or higher) that can submit content processed by the plugin. The stored payload is then executed when other users, including site visitors, access the affected page. User interaction is required for the initial injection, but the stored script runs automatically for subsequent viewers [1].

Impact

Successful exploitation enables an attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or injecting advertisements, stealing session cookies, or exfiltrating sensitive data, and performing other client-side attacks within the context of the victim's browser session [1].

Mitigation

The vendor has released version 1.11.4 which resolves the vulnerability. Users are strongly advised to update immediately. For Patchstack users, enabling auto-update auto-updates for vulnerable plugins can be enabled. No workaround is available; updating is the only complete fix [1].