CVE-2025-62125
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through <= 3.0.
Analysis
Stored cross-site scripting (XSS) in Custom Background Changer WordPress plugin through version 3.0 allows authenticated attackers to inject malicious JavaScript that persists in the database and executes for all users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the vulnerability's technical severity.
Technical Context
Custom Background Changer is a WordPress plugin that enables users to customize site backgrounds. The vulnerability exists in CWE-79 (Cross-site Scripting), specifically stored XSS, where user-supplied input is not properly neutralized before being stored in the database and rendered in web pages. Unlike reflected XSS which requires user interaction with a malicious link, stored XSS persists server-side, affecting all users who view the compromised content. The plugin fails to implement adequate input validation and output encoding mechanisms, allowing attackers to inject script tags or event handlers that execute in victim browsers with the privileges of the WordPress session.
Affected Products
Custom Background Changer (authored by Anshul Gangrade) is affected in versions from an unspecified baseline through and including version 3.0. The plugin is distributed through the WordPress plugin repository. CPE data was not provided in available sources, but the vulnerability applies to all WordPress installations with Custom Background Changer version 3.0 or earlier activated. The advisory is documented in the Patchstack vulnerability database under the referenced URL.
Remediation
Update Custom Background Changer to a patched version released after 3.0; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-background-changer/vulnerability/wordpress-custom-background-changer-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve for the specific fixed version number and availability timeline. If an immediate patch is unavailable, disable the Custom Background Changer plugin until a security update is released. Administrators should review the plugin's settings and any background customizations that may have been injected with malicious code, and consider resetting them. Monitor site security logs and user sessions for signs of session hijacking or unauthorized administrative actions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today