Skip to main content

Justin Tadlock Series CVE-2025-62759

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series series allows Stored XSS.This issue affects Series: from n/a through <= 2.0.1.

AnalysisAI

Stored cross-site scripting (XSS) in the Justin Tadlock Series WordPress plugin up to version 2.0.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage within the plugin's data structures. With an EPSS score of 0.04% and low exploitation probability, this represents a lower-priority but still exploitable vulnerability in a plugin with active distribution.

Technical ContextAI

The Series plugin for WordPress fails to properly sanitize and escape user-supplied input before rendering it in web page output, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). WordPress plugins that handle user input without adequate escaping functions (such as esc_attr(), esc_html(), wp_kses_post()) create persistent XSS vectors where malicious scripts become part of the site's stored data. This vulnerability likely affects template rendering, post/series editing, or settings pages where the plugin processes and displays user-controlled data without sufficient output encoding.

Affected ProductsAI

Justin Tadlock Series WordPress plugin versions from an unspecified baseline through 2.0.1 inclusive are affected. The plugin identifier and CPE context indicate this is a WordPress plugin distributed through the official WordPress Plugin Directory. Vendor advisory and technical details are available at Patchstack's vulnerability database (patchstack.com/database/Wordpress/Plugin/series/).

RemediationAI

Update the Justin Tadlock Series plugin to a version newer than 2.0.1 as soon as possible. Website administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Series, and click 'Update Now' if a patched version is available, or manually download the latest release from the official WordPress Plugin Directory. For sites unable to update immediately, restrict editing and administrative capabilities to trusted users only, and review existing series content for suspicious scripts or unexpected modifications. Full technical guidance and patch availability can be confirmed at the Patchstack advisory link (https://patchstack.com/database/Wordpress/Plugin/series/vulnerability/wordpress-series-plugin-2-0-1-cross-site-scripting-xss-vulnerability).

Share

CVE-2025-62759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy