CVE-2025-63072

Vulnerability

Overview

CVE-2025-63072 is a stored cross-site scripting (XSS) vulnerability in the Cornerstone plugin for WordPress, affecting versions from n/a through 7.7.3. The root cause is improper neutralization of user-supplied input during web page generation, allowing an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML and JavaScript into the plugin's content [1].

Exploitation

To exploit this vulnerability, an attacker must have at least a Contributor role on the target WordPress site. The attacker can then craft a malicious payload that is stored in the plugin's data and later executed when any visitor (including administrators or regular users load the affected page. The attack does not require direct user interaction from the victim beyond normal page viewing, though the Patchstack advisory notes that successful exploitation may require a privileged user to perform an action such as clicking a link or visiting a crafted page [1].

Impact

Successful exploitation allows the attacker to inject scripts that can perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing the website. This can lead to further compromise of the site and its users, and users [1].

Mitigation

The vulnerability is fixed in version 7.7.4 or later. Users are strongly advised to update the Cornerstone plugin immediately. If updating is not possible, site administrators should restrict contributor-level access and consider using a web application firewall to filter malicious input [1].