Skip to main content

CVE-2025-62756

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 12:16 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lvaudore The Moneytizer the-moneytizer allows DOM-Based XSS.This issue affects The Moneytizer: from n/a through <= 10.0.9.

AnalysisAI

DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.

Technical ContextAI

The Moneytizer is a WordPress plugin (identified via the patchstack.com database reference) that handles monetization functionality. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which indicates the plugin fails to properly sanitize or encode user-supplied input before rendering it in the DOM. DOM-based XSS occurs when client-side JavaScript processes untrusted data from sources like URL parameters, query strings, or form inputs without proper validation or encoding, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. The affected product is specifically The Moneytizer versions up to and including 10.0.9, as identified through the Patchstack vulnerability database.

Affected ProductsAI

The Moneytizer WordPress plugin versions from an unspecified baseline through and including version 10.0.9 are vulnerable to this DOM-based XSS vulnerability. The plugin is distributed through the WordPress.org plugin repository and can be identified via the CPE pattern for WordPress plugins. Affected sites can be identified by checking the installed version of The Moneytizer plugin in WordPress administrative dashboards.

RemediationAI

Update The Moneytizer plugin to a version newer than 10.0.9 immediately. WordPress administrators should navigate to Plugins > Installed Plugins in the WordPress admin panel, locate The Moneytizer, and click the update button if available, or download the latest version from the official WordPress plugin repository. If an update beyond 10.0.9 is not yet available, temporarily deactivate the plugin until a patched release is published. For additional details and confirmation of available patch versions, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-6-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-62756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy