CVE-2025-63027

2025-12-30 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 16:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webcreations907 WBC907 Core wbc907-core allows Stored XSS.This issue affects WBC907 Core: from n/a through <= 3.4.1.

Analysis

Stored cross-site scripting (XSS) in webcreations907 WBC907 Core WordPress plugin versions up to 3.4.1 allows attackers to inject and execute malicious JavaScript that persists in the application, potentially compromising users who view affected pages. The vulnerability stems from improper input neutralization during web page generation. No public exploit code or active exploitation has been identified at the time of analysis, though the attack vector and complexity depend on the specific injection point within the plugin.

Technical Context

This is a classic CWE-79 stored XSS vulnerability in a WordPress plugin. The WBC907 Core plugin (identified by CPE patterns for WordPress plugins) fails to properly sanitize or validate user-supplied input before storing it in the database and rendering it in HTML output. The vulnerability affects the plugin's core functionality across versions from an unspecified baseline through 3.4.1. Stored XSS vulnerabilities are particularly dangerous in WordPress environments because they can compromise all users who visit an affected page, including administrators, and may allow attackers to escalate privileges or inject malicious code into the site globally. The root cause is improper output encoding or input filtering when the plugin processes and displays user-controlled data.

Affected Products

webcreations907 WBC907 Core WordPress plugin through version 3.4.1. The exact starting version for the vulnerable range is not specified in available data. Affected users are those running WBC907 Core on WordPress installations. Additional version details and specific CPE strings are available through the Patchstack vulnerability database reference.

Remediation

Update webcreations907 WBC907 Core to the latest patched version released after 3.4.1. Site administrators should check the WordPress plugin repository or the vendor's advisory at https://patchstack.com/database/Wordpress/Plugin/wbc907-core/vulnerability/wordpress-wbc907-core-plugin-3-4-1-cross-site-scripting-xss-vulnerability for the specific patched version number and installation instructions. As an interim measure, if the vulnerability is limited to authenticated user input (such as comments or post metadata), restrict plugin access to trusted administrators only or disable the plugin until a patch is confirmed available. Review server logs and site content for evidence of injected malicious scripts, and consider clearing page caches after patching.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-63027 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy