CVE-2025-63021

Overview

CVE-2025-63021 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the WordPress Valenti Engine plugin, affecting versions up to and including 1.0.3. The issue stems from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that execute in the context of a user's browser.

Exploitation

Exploitation requires user interaction, typically involving a privileged user (such as an administrator) clicking a malicious link or visiting a crafted page. The attacker does not need authentication but relies on social engineering to trigger the payload. This vulnerability is targeted in mass-exploit campaigns, affecting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation enables an attacker to inject arbitrary HTML and JavaScript into the affected site. This can be used to perform unwanted redirects, display advertisements, steal session cookies, or deface the website. The injected script executes when a visitor loads the compromised page, potentially leading to further compromise of user data or site integrity.

Mitigation

As of the publication date, no patched version is available for versions beyond 1.0.3. The vendor recommends updating the plugin immediately if a newer version is released. If unable to update, site administrators should consult their hosting provider or web developer for assistance. Given the active use in mass campaigns, prioritising remediation is critical [1].