Skip to main content

CVE-2025-62901

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-21 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 21, 2025 - 22:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tormorten WP Microdata wp-microdata allows Stored XSS.This issue affects WP Microdata: from n/a through <= 1.0.

AnalysisAI

Stored cross-site scripting (XSS) in WP Microdata WordPress plugin version 1.0 and earlier allows authenticated users or lower-privileged administrators to inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or malware distribution. The vulnerability stems from improper input sanitization during web page generation. EPSS score of 0.04% indicates low exploitation probability in real-world conditions.

Technical ContextAI

The vulnerability is a Stored XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation) in the WP Microdata plugin, which handles structured data markup for WordPress sites. The root cause is insufficient input validation and output encoding when processing user-supplied data that gets stored in the database and later rendered on web pages without proper sanitization. This allows malicious JavaScript payloads to be persisted and executed in victim browsers when the affected page content is accessed.

Affected ProductsAI

WP Microdata WordPress plugin version 1.0 and all earlier versions are affected. The plugin is available through the WordPress plugin repository and is identified by the CPE context relating to WordPress plugins. No specific CPE string format is provided in available data, but vulnerable installations can be identified via the plugin slug 'wp-microdata' and version number <= 1.0.

RemediationAI

Update WP Microdata to a version newer than 1.0 if available from the vendor, or disable and remove the plugin if no patched version is released. Site administrators should review plugin settings in WordPress admin (Plugins > Installed Plugins) and deactivate wp-microdata immediately. For environments unable to update, implement Web Application Firewall (WAF) rules to block common XSS payloads in plugin-controlled input fields. Detailed remediation guidance is available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wp-microdata/vulnerability/wordpress-wp-microdata-plugin-1-0-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-62901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy