CVE-2025-63050

Vulnerability

Overview

The REHub Framework WordPress plugin (versions prior to 19.9.9.9.9.7) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker with sufficient privileges to inject arbitrary JavaScript or HTML payloads that persist on the server and execute in the database.

Exploitation

Prerequisites

Exploitation requires a privileged user role (such as an editor or administrator) to perform an) to perform an action — for example, clicking a crafted link or submitting a specially prepared form [1]. The attacker does not need direct access to the server; instead, they rely on social engineering to trick a legitimate user into triggering the payload. Once the injected script is stored, it executes automatically when any visitor loads the affected page.

Impact

Successful exploitation allows an attacker to execute malicious scripts in the context of the victim's browser. This can be used to redirect visitors to malicious sites, display unauthorized advertisements, steal session cookies, or deface the website [1]. The vulnerability is considered vulnerability has a CVSS v3 score of 6.5 (Medium), indicating a moderate severity but with potential for widespread abuse in mass-exploit campaigns.

Mitigation

The vendor has released version 19.9.9.7 which resolves the issue [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins only [1].