CVE-2025-63032

Vulnerability

Overview

The Consulting WordPress theme, version 1.5.0 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means that input submitted by authorized users is not sanitized before being stored and later displayed to other users.

Exploitation

Exploitation requires an attacker with at least a privileged user role (such as contributor or higher) to submit crafted input that contains malicious JavaScript or HTML. The injected payload is stored on the server and subsequently executed in the browsers of site visitors who view the affected page. No direct interaction from the victim is required beyond normal page access, but the initial attack relies on a privileged user performing an action such as submitting a form [1].

Impact

A successful attack allows an attacker to inject arbitrary scripts, redirects, advertisements, or other HTML payloads into the website. These scripts execute whenever a guest visits the compromised page, potentially leading to session hijacking, defacement, or phishing attacks [1]. The vulnerability is listed as having a CVSS v3 base score of 6.5 (Medium), reflecting the need for authenticated access but the broad scope of harm to visitors and site integrity.

Mitigation

Users are advised to immediately update the Consulting theme to the latest patched version. If an update is not available, contacting the hosting provider or a web developer for assistance is recommended. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].