CVE-2025-62901

2025-12-21 [email protected]

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 17:44 vuln.today

CVE Published

Dec 21, 2025 - 22:15 nvd

N/A

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tormorten WP Microdata wp-microdata allows Stored XSS.This issue affects WP Microdata: from n/a through <= 1.0.

Analysis

Stored cross-site scripting (XSS) in WP Microdata WordPress plugin version 1.0 and earlier allows authenticated users or lower-privileged administrators to inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or malware distribution. The vulnerability stems from improper input sanitization during web page generation. EPSS score of 0.04% indicates low exploitation probability in real-world conditions.

Technical Context

The vulnerability is a Stored XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation) in the WP Microdata plugin, which handles structured data markup for WordPress sites. The root cause is insufficient input validation and output encoding when processing user-supplied data that gets stored in the database and later rendered on web pages without proper sanitization. This allows malicious JavaScript payloads to be persisted and executed in victim browsers when the affected page content is accessed.

Affected Products

WP Microdata WordPress plugin version 1.0 and all earlier versions are affected. The plugin is available through the WordPress plugin repository and is identified by the CPE context relating to WordPress plugins. No specific CPE string format is provided in available data, but vulnerable installations can be identified via the plugin slug 'wp-microdata' and version number <= 1.0.

Remediation

Update WP Microdata to a version newer than 1.0 if available from the vendor, or disable and remove the plugin if no patched version is released. Site administrators should review plugin settings in WordPress admin (Plugins > Installed Plugins) and deactivate wp-microdata immediately. For environments unable to update, implement Web Application Firewall (WAF) rules to block common XSS payloads in plugin-controlled input fields. Detailed remediation guidance is available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wp-microdata/vulnerability/wordpress-wp-microdata-plugin-1-0-cross-site-scripting-xss-vulnerability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +0

POC: 0

CVE-2025-62901 vulnerability details – vuln.today

Back

CVE-2025-62901

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-62901

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code