CVE-2025-64203

Vulnerability

Overview

CVE-2025-64203 is a reflected cross-site scripting (XSS) vulnerability in the EverPress Mailster plugin for WordPress, affecting versions prior to 4.1.14. The root cause is improper neutralization of user-supplied input during web page generation, enabling an attacker to inject arbitrary HTML and JavaScript into a response [1].

Exploitation

Exploitation

Exploitation requires user interaction, such as clicking a crafted link or submitting a malicious form. The vulnerability can be triggered by a privileged user, but the attack does not require authentication for the initial injection. The attacker can deliver the payload via a URL or other means that cause the vulnerable plugin to reflect the malicious script in the victim's browser [1].

Impact

Successful exploitation allows an attacker to an attacker to execute arbitrary scripts in the context of the victim's session. This can lead to redirects, display of advertisements, theft of sensitive data, or other malicious actions. The CVSS v3 score is 7.1 (High), and the vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 4.1.14 which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule from Patchstack can block attacks until the update is applied [1].