Skip to main content

Wpcasa EUVDEUVD-2025-208863

| CVE-2025-62043 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 08:45 euvd
EUVD-2025-208863
Analysis Generated
Mar 19, 2026 - 08:45 vuln.today
CVE Published
Mar 19, 2026 - 08:25 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.

AnalysisAI

A DOM-based cross-site scripting (XSS) vulnerability exists in WPSight WPCasa WordPress plugin versions through 1.4.1, allowing authenticated attackers to inject malicious JavaScript that executes in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling an attacker with login credentials to craft malicious payloads that execute in the context of other users' sessions. With a CVSS score of 6.5 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate risk to WordPress installations using affected WPCasa versions, particularly those managing real estate listings where authenticated users have content creation privileges.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic DOM-based XSS flaw where user-controlled input is directly reflected into the DOM without proper sanitization or encoding. The WPCasa plugin (identified via CPE cpe:2.3:a:wpsight:wpcasa:*:*:*:*:*:*:*:*) is a WordPress real estate listing and property management plugin that processes user input during page generation. DOM-based XSS differs from reflected/stored XSS in that the vulnerability exists in client-side JavaScript code that processes URL parameters or form inputs without escaping, allowing attackers to inject arbitrary JavaScript that executes in the victim's browser. The attack occurs when the application takes untrusted input and uses it to dynamically generate page content via DOM manipulation without first validating or encoding the data against XSS payloads.

RemediationAI

Upgrade WPCasa to a patched version released after 1.4.1 immediately, checking the official WPSight repository and Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpcasa/vulnerability/wordpress-wpcasa-plugin-1-4-1-cross-site-scripting-xss-vulnerability) for the minimum patched version number. Until an upgrade is feasible, implement the following defenses: (1) restrict WPCasa administrative and content-creation capabilities to trusted users only, (2) use a Web Application Firewall (WAF) configured to block DOM-XSS patterns in URL parameters and form inputs targeting WPCasa endpoints, (3) enforce Content Security Policy (CSP) headers to restrict inline script execution and limit script sources, and (4) conduct a security audit of user permissions to identify and remove unnecessary authenticated access. Additionally, monitor user activity logs for suspicious parameter injection attempts in WPCasa property listing and form submission handlers.

Share

EUVD-2025-208863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy