CVE-2025-62761

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BasePress Knowledge Base documentation & wiki plugin - BasePress basepress allows Stored XSS.This issue affects Knowledge Base documentation & wiki plugin - BasePress: from n/a through <= 2.17.0.1.

Analysis

Stored cross-site scripting (XSS) vulnerability in BasePress Knowledge Base documentation & wiki plugin versions through 2.17.0.1 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users viewing affected content. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise user sessions, steal credentials, or deface documentation within WordPress installations using BasePress. With EPSS exploitation probability at 0.04% (14th percentile), real-world exploitation risk is currently low, though the stored nature of the XSS makes it a persistence risk if discovered by threat actors.

Technical Context

This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability, a classic stored XSS weakness where user-controlled input is not properly sanitized or encoded before being rendered in HTML context. The BasePress plugin, a WordPress knowledge base and wiki system, fails to adequately validate or escape content at input time or encode it at output time, allowing script tags or event handlers to be injected and permanently stored in the WordPress database. Subsequent requests by other users trigger execution of the malicious payload in their browsers without their knowledge, giving attackers a vector for session hijacking, credential theft, or lateral privilege escalation within the WordPress instance.

Affected Products

Knowledge Base documentation & wiki plugin - BasePress for WordPress, versions from unspecified initial release through and including version 2.17.0.1. The vulnerability impacts all installations of BasePress at or below version 2.17.0.1, affecting the plugin distributed through the WordPress Plugin Directory. Affected organizations should consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/basepress/vulnerability/wordpress-knowledge-base-documentation-wiki-plugin-basepress-plugin-2-17-0-1-cross-site-scripting-xss-vulnerability for detailed version-specific impact confirmation.

Remediation

Update BasePress Knowledge Base documentation & wiki plugin to a version newer than 2.17.0.1 as soon as available from the WordPress Plugin Directory or the vendor's official release channel. Administrators should verify that the patched version has addressed input sanitization in content submission workflows and output encoding in page rendering functions. As a temporary mitigation pending patch availability, restrict plugin access to trusted administrative users only, implement WordPress role-based access controls to limit who can create or edit knowledge base content, and consider disabling the plugin if it is not actively in use. Monitor the plugin author's release notes and the Patchstack advisory referenced in the vulnerability disclosure for notification of patch release dates.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62761 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy