CVE-2025-62926

2025-12-21 [email protected]
XSS PHP

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 21, 2025 - 22:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyDevs TempTool [Show Current Template Info] current-template-name allows Stored XSS.This issue affects TempTool [Show Current Template Info]: from n/a through <= 1.3.1.

AnalysisAI

Stored cross-site scripting (XSS) in HappyDevs TempTool WordPress plugin version 1.3.1 and earlier allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users who view affected pages. The vulnerability exists in the [Show Current Template Info] functionality and affects the current-template-name component; exploitation requires an authenticated user with appropriate plugin permissions but can compromise all site visitors who interact with the injected content.

Technical ContextAI

This is a CWE-79 input validation flaw in a WordPress plugin that fails to properly sanitize or escape user-supplied data before storing and rendering it in web pages. The TempTool plugin's [Show Current Template Info] feature processes user input without adequate neutralization, allowing malicious JavaScript to be embedded in database records. When the plugin retrieves and displays this data via the current-template-name component, the unsanitized content is rendered directly in HTML context, causing browser interpretation of the injected script tags. WordPress plugins are particularly susceptible to such flaws when they use shortcodes or admin/frontend displays without leveraging WordPress sanitization functions like sanitize_text_field(), wp_kses_post(), or proper escaping via esc_html() and esc_attr().

Affected ProductsAI

HappyDevs TempTool WordPress plugin (current-template-name component) version 1.3.1 and all earlier releases are affected. The vulnerability was reported via Patchstack on the WordPress plugin security database. The exact CPE designation is not provided in available data, but the plugin is identified as a WordPress plugin installable via the official WordPress.org plugin repository or direct distribution.

RemediationAI

Users should update HappyDevs TempTool to the first patched version released after 1.3.1; check the Patchstack database and WordPress.org plugin page for the latest available version. If no patch is immediately available, administrators should restrict plugin access to trusted super-administrator users only, disable the [Show Current Template Info] shortcode/functionality if unused, or consider disabling the plugin until a patched release is available. For additional guidance and to verify patch availability, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/current-template-name/. Ensure that any custom development using the plugin's code implements proper WordPress sanitization (sanitize_text_field()) on input and escaping (wp_kses_post(), esc_html()) on output.

Share

CVE-2025-62926 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy