CVE-2025-62124
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soli WP Post Signature wp-post-signature allows Stored XSS.This issue affects WP Post Signature: from n/a through <= 0.4.1.
Analysis
Stored cross-site scripting (XSS) in Soli WP Post Signature plugin through version 0.4.1 allows authenticated users to inject malicious scripts into post signatures, which execute in the browsers of administrators and other site visitors viewing affected posts. The vulnerability requires user interaction or administrative access to inject the payload but poses a risk to site integrity and user data. EPSS exploitation probability is minimal at 0.01%, suggesting low real-world attack likelihood despite the vulnerability class.
Technical Context
This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability affecting the WordPress plugin 'WP Post Signature' (CPE variant: wordpress-wp-post-signature through version 0.4.1). The plugin fails to properly sanitize or escape user-supplied input when generating web page content, allowing attackers to embed JavaScript or other executable content in post signature fields. When these signatures are rendered on the frontend or in administrator dashboards, the malicious script executes in the context of the WordPress application. Stored XSS differs from reflected XSS in that the payload persists in the database, making it a persistent threat affecting all users who view the compromised content.
Affected Products
Soli WP Post Signature (wp-post-signature) through version 0.4.1 is affected. The vulnerability impacts all installations of this WordPress plugin at version 0.4.1 and earlier. Additional version range boundaries are not specified in available data. Affected users can reference the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/wp-post-signature/vulnerability/wordpress-wp-post-signature-plugin-0-4-1-cross-site-scripting-xss-vulnerability for detailed vendor advisory information.
Remediation
Update WP Post Signature to a version newer than 0.4.1 immediately. WordPress site administrators should navigate to Plugins > Installed Plugins, locate WP Post Signature, and click 'Update' if an available version is displayed. If no update is available in the WordPress plugin directory, consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-post-signature/vulnerability/wordpress-wp-post-signature-plugin-0-4-1-cross-site-scripting-xss-vulnerability) for patched version availability and release timelines. As an interim measure, disable the WP Post Signature plugin entirely until a patch is confirmed. Site administrators should also audit existing post signatures and comments for injected script content and remove any suspicious entries to eliminate stored XSS payloads.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today