CVE-2025-62951

MEDIUM
2025-10-27 [email protected]
XSS
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 6.5

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icc0rz H5P h5p allows Stored XSS.This issue affects H5P: from n/a through <= 1.16.0.

AnalysisAI

Stored cross-site scripting (XSS) in icc0rz H5P WordPress plugin versions 1.16.0 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users viewing affected content. The vulnerability stems from improper input sanitization during web page generation and requires user interaction (UI:R) to trigger, affecting confidentiality, integrity, and availability with a CVSS score of 6.5. Despite the moderate CVSS rating, the EPSS score of 0.02% indicates very low real-world exploitation probability at time of analysis, with no public exploit code or active exploitation confirmed.

Technical ContextAI

This vulnerability exploits CWE-79 (Improper Neutralization of Input During Web Page Generation), a foundational XSS class where user-supplied input is not adequately sanitized before being rendered in HTML context. The H5P plugin provides interactive content creation and delivery functionality within WordPress, processing user inputs during content generation. The stored variant means malicious payloads persist in the application's database and are served to subsequent visitors, making remediation critical for multi-user environments. The CVSS vector AV:N/AC:L indicates network-based attack with low complexity, PR:L reflects that only low-privileged authenticated users (such as contributors or editors in WordPress) can inject payloads, and UI:R indicates the payload executes only when another user views the compromised content.

Affected ProductsAI

icc0rz H5P WordPress plugin versions 1.16.0 and earlier are affected. The vulnerability impacts any WordPress installation running this plugin with the noted version constraint. CPE data is not independently available from provided sources, but the vendor advisory reference points to https://patchstack.com/database/Wordpress/Plugin/h5p/vulnerability/wordpress-interactive-content-h5p-plugin-1-16-0-cross-site-scripting-xss-vulnerability, which documents the affected plugin and version range. Site administrators should identify H5P plugin installations via WordPress plugin management or security scanning tools to determine exposure.

RemediationAI

Update the icc0rz H5P plugin to a patched version released after 1.16.0. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/h5p/vulnerability/wordpress-interactive-content-h5p-plugin-1-16-0-cross-site-scripting-xss-vulnerability for the exact patched version number and release date. In the interim, restrict editor and contributor roles to trusted users only, review existing H5P content for suspicious script injections, and consider temporarily disabling the plugin if it is not actively required. WordPress administrators should apply the patch through the WordPress plugin management dashboard or manual installation, and test functionality in a staging environment before production deployment.

Share

CVE-2025-62951 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy