CVE-2025-62119

Add Featured Image Custom Link <= 2.0.0 - Authenticated (Author+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Add Featured Image Custom Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.0
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2025-62119. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within the WordPress plugin architecture and the standard defensive measures used to prevent such vulnerabilities. ### Underst…

Show full research plan

I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2025-62119. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within the WordPress plugin architecture and the standard defensive measures used to prevent such vulnerabilities.

Understanding Stored XSS in WordPress

Stored XSS occurs when an application receives data from a user and stores it in a persistent database without sufficient validation or sanitization. This data is later retrieved and displayed to other users (often administrators) without proper escaping, allowing arbitrary JavaScript to execute in the context of the victim's browser.

In the context of WordPress plugins that manage post metadata (like featured image links), the vulnerability typically resides in how custom fields or post meta are handled.

1. Data Ingestion and Storage

WordPress plugins often use the update_post_meta() function to save user-provided data associated with a post. If a plugin does not sanitize this input before storage, malicious scripts can be saved directly into the wp_postmeta table.

  • Vulnerable Pattern:

    // Input is taken directly from $_POST and saved without sanitization
    update_post_meta( $post_id, '_custom_image_link', $_POST['custom_link_field'] );
    
  • Secure Pattern:
    Developers should use sanitization functions based on the expected data type. For URLs, esc_url_raw() is appropriate for database storage.

    update_post_meta( $post_id, '_custom_image_link', esc_url_raw( $_POST['custom_link_field'] ) );
    

2. Data Retrieval and Output

The execution phase of the XSS occurs when the stored data is retrieved using get_post_meta() and rendered in the HTML output, such as in an admin dashboard or on the site's frontend.

  • Vulnerable Pattern:

    $link = get_post_meta( $post->ID, '_custom_image_link', true );
    echo '<a href="' . $link . '">View Image</a>'; // XSS occurs here if $link contains ' " onclick=... '
    
  • Secure Pattern:
    Output must be escaped at the point of rendering using context-aware functions. For HTML attributes like href, esc_url() should be used.

    $link = get_post_meta( $post->ID, '_custom_image_link', true );
    echo '<a href="' . esc_url( $link ) . '">View Image</a>';
    

Role of Capabilities and Nonces

  • Capabilities: WordPress uses a Role-Based Access Control (RBAC) system. Vulnerabilities like these are often restricted to users with certain capabilities (e.g., Author+). Researchers verify these by checking if the code verifies current_user_can() before processing the request.
  • Nonces: WordPress nonces are used to protect against Cross-Site Request Forgery (CSRF). If a plugin's update mechanism lacks a nonce check (check_admin_referer() or wp_verify_nonce()), an attacker might be able to trick an authenticated user into unknowingly submitting the XSS payload.

Recommended Defensive Resources

To learn more about identifying and mitigating these vulnerabilities, you can consult the following resources:

  • WordPress Plugin Handbook (Security Section): Provides official guidance on data sanitization, escaping, and preventing CSRF.
  • OWASP Top Ten: Offers comprehensive information on XSS and other web application vulnerabilities.
  • Common Weakness Enumeration (CWE): See CWE-79 for detailed information on Improper Neutralization of Input During Web Page Generation.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Add Featured Image Custom Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom featured image link field. Authenticated users with Author-level permissions or higher can inject malicious JavaScript into the metadata, which then executes in the browser of any user viewing or editing the affected post.

Vulnerable Code

// In custom-url-to-featured-image/plugin.php (hypothetical path)

// Saving post meta without sanitization
function custom_url_save_meta_box_data( $post_id ) {
    if ( isset( $_POST['custom_link_field'] ) ) {
        update_post_meta( $post_id, '_custom_image_link', $_POST['custom_link_field'] );
    }
}

---

// Outputting stored meta without escaping
function custom_url_display_frontend( $html, $post_id ) {
    $link = get_post_meta( $post_id, '_custom_image_link', true );
    if ( $link ) {
        $html = '<a href="' . $link . '">' . $html . '</a>'; // XSS occurs here
    }
    return $html;
}

Security Fix

--- a/custom-url-to-featured-image/plugin.php
+++ b/custom-url-to-featured-image/plugin.php
@@ -10,7 +10,7 @@
 function custom_url_save_meta_box_data( $post_id ) {
-    if ( isset( $_POST['custom_link_field'] ) ) {
-        update_post_meta( $post_id, '_custom_image_link', $_POST['custom_link_field'] );
-    }
+    if ( isset( $_POST['custom_link_field'] ) ) {
+        update_post_meta( $post_id, '_custom_image_link', esc_url_raw( $_POST['custom_link_field'] ) );
+    }
 }
 
 function custom_url_display_frontend( $html, $post_id ) {
     $link = get_post_meta( $post_id, '_custom_image_link', true );
     if ( $link ) {
-        $html = '<a href="' . $link . '">' . $html . '</a>';
+        $html = '<a href="' . esc_url( $link ) . '">' . $html . '</a>';
     }
     return $html;

Exploit Outline

To exploit this vulnerability, an attacker with Author-level access would follow these steps: 1. Authenticate to the WordPress dashboard as a user with post-editing privileges (Author or higher). 2. Create a new post or edit an existing one. 3. Locate the 'Add Featured Image Custom Link' metabox (usually near the Featured Image section). 4. In the custom link input field, enter a payload designed to break out of the HTML attribute and execute JavaScript, such as: `" onmouseover="alert(document.cookie)" style="display:block;width:1000px;height:1000px;` or `javascript:alert(1)`. 5. Save or publish the post. 6. The payload will execute whenever a user views the post on the frontend or views the featured image in the post editor context where the URL is rendered.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.