Skip to main content

Anshul Gangrade Custom Background Changer CVE-2025-62125

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 13:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through <= 3.0.

AnalysisAI

Stored cross-site scripting (XSS) in Custom Background Changer WordPress plugin through version 3.0 allows authenticated attackers to inject malicious JavaScript that persists in the database and executes for all users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the vulnerability's technical severity.

Technical ContextAI

Custom Background Changer is a WordPress plugin that enables users to customize site backgrounds. The vulnerability exists in CWE-79 (Cross-site Scripting), specifically stored XSS, where user-supplied input is not properly neutralized before being stored in the database and rendered in web pages. Unlike reflected XSS which requires user interaction with a malicious link, stored XSS persists server-side, affecting all users who view the compromised content. The plugin fails to implement adequate input validation and output encoding mechanisms, allowing attackers to inject script tags or event handlers that execute in victim browsers with the privileges of the WordPress session.

Affected ProductsAI

Custom Background Changer (authored by Anshul Gangrade) is affected in versions from an unspecified baseline through and including version 3.0. The plugin is distributed through the WordPress plugin repository. CPE data was not provided in available sources, but the vulnerability applies to all WordPress installations with Custom Background Changer version 3.0 or earlier activated. The advisory is documented in the Patchstack vulnerability database under the referenced URL.

RemediationAI

Update Custom Background Changer to a patched version released after 3.0; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-background-changer/vulnerability/wordpress-custom-background-changer-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve for the specific fixed version number and availability timeline. If an immediate patch is unavailable, disable the Custom Background Changer plugin until a security update is released. Administrators should review the plugin's settings and any background customizations that may have been injected with malicious code, and consider resetting them. Monitor site security logs and user sessions for signs of session hijacking or unauthorized administrative actions.

Share

CVE-2025-62125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy