CVE-2025-62756
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lvaudore The Moneytizer the-moneytizer allows DOM-Based XSS.This issue affects The Moneytizer: from n/a through <= 10.0.9.
Analysis
DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.
Technical Context
The Moneytizer is a WordPress plugin (identified via the patchstack.com database reference) that handles monetization functionality. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which indicates the plugin fails to properly sanitize or encode user-supplied input before rendering it in the DOM. DOM-based XSS occurs when client-side JavaScript processes untrusted data from sources like URL parameters, query strings, or form inputs without proper validation or encoding, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. The affected product is specifically The Moneytizer versions up to and including 10.0.9, as identified through the Patchstack vulnerability database.
Affected Products
The Moneytizer WordPress plugin versions from an unspecified baseline through and including version 10.0.9 are vulnerable to this DOM-based XSS vulnerability. The plugin is distributed through the WordPress.org plugin repository and can be identified via the CPE pattern for WordPress plugins. Affected sites can be identified by checking the installed version of The Moneytizer plugin in WordPress administrative dashboards.
Remediation
Update The Moneytizer plugin to a version newer than 10.0.9 immediately. WordPress administrators should navigate to Plugins > Installed Plugins in the WordPress admin panel, locate The Moneytizer, and click the update button if available, or download the latest version from the official WordPress plugin repository. If an update beyond 10.0.9 is not yet available, temporarily deactivate the plugin until a patched release is published. For additional details and confirmation of available patch versions, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-6-cross-site-scripting-xss-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today