CVE-2025-62749

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 12:16 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bainternet User Specific Content user-specific-content allows DOM-Based XSS.This issue affects User Specific Content: from n/a through <= 1.0.6.

Analysis

DOM-based cross-site scripting (XSS) in Bainternet User Specific Content WordPress plugin versions 1.0.6 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While no public exploit code or active exploitation has been confirmed, the extremely low EPSS score (0.01%) and lack of CVSS vector data suggest limited real-world exploitability or specificity to attack scenarios, despite the XSS classification.

Technical Context

The vulnerability is a DOM-based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin designed to display user-specific content. DOM-based XSS occurs when untrusted user input is processed by client-side JavaScript without proper sanitization or encoding before being inserted into the DOM. This differs from reflected or stored XSS, as the malicious payload is typically executed through manipulation of the browser's DOM environment rather than server-side reflection. The User Specific Content plugin, identified via CPE references to the WordPress plugin ecosystem, failed to sanitize input parameters that influence page rendering, allowing attackers to break out of intended data contexts and execute script tags or event handlers.

Affected Products

Bainternet User Specific Content WordPress plugin versions up to and including 1.0.6 are affected. The plugin is available through the WordPress plugin repository and is identified by the Patchstack security research team. All installations running version 1.0.6 or earlier require remediation.

Remediation

Update Bainternet User Specific Content to a patched version beyond 1.0.6. Consult the official WordPress plugin repository or the vendor's security advisory at https://patchstack.com/database/Wordpress/Plugin/user-specific-content/vulnerability/wordpress-user-specific-content-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve for the exact fixed version and installation instructions. If an immediate patch is unavailable, disable the plugin until an update is released, or implement content security policy (CSP) headers on the WordPress site to mitigate XSS execution.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62749 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy