CVE-2025-62759
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series series allows Stored XSS.This issue affects Series: from n/a through <= 2.0.1.
Analysis
Stored cross-site scripting (XSS) in the Justin Tadlock Series WordPress plugin up to version 2.0.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage within the plugin's data structures. With an EPSS score of 0.04% and low exploitation probability, this represents a lower-priority but still exploitable vulnerability in a plugin with active distribution.
Technical Context
The Series plugin for WordPress fails to properly sanitize and escape user-supplied input before rendering it in web page output, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). WordPress plugins that handle user input without adequate escaping functions (such as esc_attr(), esc_html(), wp_kses_post()) create persistent XSS vectors where malicious scripts become part of the site's stored data. This vulnerability likely affects template rendering, post/series editing, or settings pages where the plugin processes and displays user-controlled data without sufficient output encoding.
Affected Products
Justin Tadlock Series WordPress plugin versions from an unspecified baseline through 2.0.1 inclusive are affected. The plugin identifier and CPE context indicate this is a WordPress plugin distributed through the official WordPress Plugin Directory. Vendor advisory and technical details are available at Patchstack's vulnerability database (patchstack.com/database/Wordpress/Plugin/series/).
Remediation
Update the Justin Tadlock Series plugin to a version newer than 2.0.1 as soon as possible. Website administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Series, and click 'Update Now' if a patched version is available, or manually download the latest release from the official WordPress Plugin Directory. For sites unable to update immediately, restrict editing and administrative capabilities to trusted users only, and review existing series content for suspicious scripts or unexpected modifications. Full technical guidance and patch availability can be confirmed at the Patchstack advisory link (https://patchstack.com/database/Wordpress/Plugin/series/vulnerability/wordpress-series-plugin-2-0-1-cross-site-scripting-xss-vulnerability).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today