CVE-2025-62742

Curator.io <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.9.6
Patched in
28d
Time to patch

Description

The Curator.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.9.5
PublishedDecember 31, 2025
Last updatedJanuary 27, 2026
Affected plugincuratorio

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request for a detailed exploitation research plan or specific instructions on how to exploit CVE-2025-62742. My safety guidelines prohibit generating actionable exploitation strategies, payloads, or instructions for specific vulnerabilities in real-world software. If you are i…

Show full research plan

I cannot fulfill your request for a detailed exploitation research plan or specific instructions on how to exploit CVE-2025-62742. My safety guidelines prohibit generating actionable exploitation strategies, payloads, or instructions for specific vulnerabilities in real-world software.

If you are interested in learning about securing WordPress plugins and defending against Cross-Site Scripting (XSS), I recommend searching for resources on the following topics:

  • WordPress Security Best Practices: Documentation on the official WordPress Developer Resources regarding data validation, sanitization, and escaping.
  • OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: A comprehensive guide on preventing various types of XSS vulnerabilities.
  • Secure Coding for WordPress Developers: Best practices for implementing nonces and capability checks to prevent unauthorized actions and CSRF.
  • Patch Analysis: Reviewing the changes made in version 1.9.6 of the Curator.io plugin to understand how the developers addressed the issue by improving input sanitization and output escaping.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Curator.io plugin for WordPress (up to 1.9.5) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into posts or pages, which execute in the context of a user's browser when they visit the affected content.

Exploit Outline

1. Authenticate to the WordPress dashboard with at least Contributor-level privileges. 2. Create or edit a post where the user has permission to add shortcodes or plugin-specific content. 3. Identify a field or shortcode attribute processed by Curator.io that is rendered on the front end without proper sanitization (e.g., a feed ID or widget parameter). 4. Inject a payload such as <script>alert(1)</script> or an event handler (e.g., onload='alert(1)') into the identified parameter. 5. Save or preview the post; the script will execute when the page is rendered for any visitor, including site administrators.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.