CVE-2025-62043
Received Received - Intake

DOM-Based XSS in WPCasa Through Improper Input Neutralization

Vulnerability report for CVE-2025-62043, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-19

Last updated on: 2026-03-19

Assigner: Patchstack

Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-19
Last Modified
2026-03-19
Generated
2026-07-06
AI Q&A
2026-03-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpcasa wpcasa From 1.0.0 (inc) to 1.4.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2025-62043 vulnerability is a Cross Site Scripting (XSS) issue found in the WordPress WPCasa Plugin versions up to and including 1.4.1.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into websites using the plugin, which execute when visitors access the affected site.

Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for the attack to succeed.

The issue was patched in version 1.4.2 of the WPCasa plugin, and users are strongly advised to update to this version or later to mitigate the risk.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts on your website, which may lead to unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.

Because the attack requires user interaction from someone with Contributor or Developer privileges, the risk is somewhat limited but still significant.

The CVSS score of 6.5 indicates a moderate severity level, meaning the impact can include partial compromise of confidentiality, integrity, and availability of the affected system.

Although mass exploitation campaigns are possible, the overall impact is considered low priority and unlikely to cause significant widespread damage.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the WPCasa WordPress plugin up to version 1.4.1. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed.

Since exploitation requires user interaction with crafted pages or links, network detection might focus on monitoring for suspicious HTTP requests or unusual script injections related to WPCasa plugin pages.

Specific commands are not provided in the available resources. However, general detection steps could include:

  • Checking the installed version of the WPCasa plugin to see if it is version 1.4.1 or earlier.
  • Using web vulnerability scanners that can detect XSS vulnerabilities in WordPress plugins.
  • Monitoring web server logs for unusual query parameters or script payloads targeting WPCasa plugin endpoints.
Mitigation Strategies

The primary and immediate mitigation step is to update the WPCasa plugin to version 1.4.2 or later, where this vulnerability has been patched.

Additionally, consider the following steps:

  • Restrict user privileges to limit the ability of contributors or developers to perform actions that could trigger the vulnerability.
  • Use web application firewalls (WAFs) to block malicious scripts or suspicious requests targeting the plugin.
  • Apply automated updates if available to ensure rapid deployment of security patches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart