CVE-2025-62119
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ViitorCloud Technologies Pvt Ltd Add Featured Image Custom Link custom-url-to-featured-image allows DOM-Based XSS.This issue affects Add Featured Image Custom Link: from n/a through <= 2.0.0.
Analysis
DOM-based cross-site scripting in the ViitorCloud Technologies Add Featured Image Custom Link WordPress plugin (versions up to 2.0.0) allows unauthenticated attackers to inject arbitrary JavaScript into web pages through improper input sanitization. The vulnerability affects the custom URL handling mechanism for featured images, enabling malicious actors to steal session cookies, perform account takeover, or redirect users to phishing sites. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the XSS classification.
Technical Context
This is a DOM-based XSS vulnerability rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation). The Add Featured Image Custom Link plugin processes user-supplied input related to featured image URLs without adequate output encoding or input validation, allowing JavaScript to be injected into the DOM at runtime. WordPress plugins are particularly susceptible to XSS when they interact with custom post metadata or URL parameters without using WordPress sanitization functions (sanitize_text_field, wp_kses_post, etc.) and escaping functions (esc_attr, esc_url, etc.). DOM-based XSS differs from reflected or stored XSS in that the malicious payload is processed entirely on the client side through JavaScript, rather than being generated server-side, making it particularly difficult to detect via server logs.
Affected Products
The ViitorCloud Technologies Pvt Ltd Add Featured Image Custom Link WordPress plugin is affected in all versions from the initial release through version 2.0.0 inclusive. The plugin is distributed through the WordPress.org plugin repository under the identifier custom-url-to-featured-image. No patch version number is currently identified; organizations should check the plugin's update status via the WordPress admin dashboard or the official repository at wordpress.org/plugins/custom-url-to-featured-image/.
Remediation
The primary remediation is to update the Add Featured Image Custom Link plugin to a version newer than 2.0.0 if such a patched version is available via the WordPress plugin update mechanism. Site administrators should immediately review the plugin's repository page for update availability. As an interim mitigation, administrators can temporarily disable the plugin until a patch is released, or restrict access to plugin functionality to trusted users only by using WordPress role-based capabilities. Additionally, implement Content Security Policy (CSP) headers on the WordPress site to limit the impact of any injected scripts. Site owners should also audit any custom URLs previously configured through this plugin for suspicious content and monitor user account activity for unauthorized access.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today