CVE-2025-67551

A stored cross-site scripting (XSS) vulnerability exists in the Wappointment WordPress plugin, versions up to and including 2.6.9. The flaw arises from improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary scripts that are stored and executed in the context of other users' browsers [1].

Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a malicious link or submitting a crafted form. Once triggered, the injected script is stored on the server and executed when any visitor accesses the affected page. This attack vector is commonly used in automated mass-exploit campaigns targeting WordPress sites [1].

A successful attack can lead to injection of malicious scripts, including redirects, advertisements, and other HTML payloads. This compromises the integrity of the website and can affect all visitors, potentially leading to further attacks or data theft [1].

The vulnerability is patched in version 2.7.0. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. As an interim measure, if direct update is not possible, consulting with a hosting provider or web developer is recommended [1].