{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62043", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-10-07T15:34:26.392Z", "datePublished": "2026-03-19T08:25:18.077Z", "dateUpdated": "2026-03-19T13:32:59.665Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:25:18.077Z"}, "title": "WordPress WPCasa plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "affected": [{"vendor": "WPSight", "product": "WPCasa", "collectionURL": "https://wordpress.org/plugins", "packageName": "wpcasa", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "1.4.1", "changes": [{"at": "1.4.2", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.<p>This issue affects WPCasa: from n/a through 1.4.1.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/wpcasa/vulnerability/wordpress-wpcasa-plugin-1-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "Update the WordPress WPCasa Plugin to the latest available version (at least 1.4.2).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress WPCasa Plugin to the latest available version (at least 1.4.2)."}]}], "credits": [{"lang": "en", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:32:40.949772Z", "id": "CVE-2025-62043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:32:59.665Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:32:40.949772Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:32:48.121Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress WPCasa plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPSight", "product": "WPCasa", "versions": [{"status": "affected", "changes": [{"at": "1.4.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.4.1"}], "packageName": "wpcasa", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress WPCasa Plugin to the latest available version (at least 1.4.2).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress WPCasa Plugin to the latest available version (at least 1.4.2).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/wpcasa/vulnerability/wordpress-wpcasa-plugin-1-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.", "supportingMedia": [{"type": "text/html", "value": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.<p>This issue affects WPCasa: from n/a through 1.4.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:25:18.077Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62043", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:32:59.665Z", "dateReserved": "2025-10-07T15:34:26.392Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:25:18.077Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1."}], "id": "CVE-2025-62043", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:16.397", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/wpcasa/vulnerability/wordpress-wpcasa-plugin-1-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WPCasa", "source": "cna", "vendor": "WPSight"}, "product": "wpcasa", "vendor": "wpsight"}], "analysis": {"en": {"generated_at": "2026-03-19T09:22:41.955541+00:00", "value": {"mitigation_remediation": ["Update the WordPress WPCasa Plugin to version 1.4.2 or newer"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Vendor WPSight offers the WPCasa plugin, and all releases up to and including version 1.4.1 are affected. Newer releases (1.4.2 and later) have addressed the issue. No specific version range is given beyond the latest known vulnerable release.", "description_and_impact": "The vulnerability is a DOM\u2011Based Cross\u2011Site Scripting (XSS) flaw caused by improper neutralization of input during web page generation in WPSight WPCasa. This weakness allows an attacker to inject malicious script that is executed in the context of a victim's browser. The impact is limited to the victim's session and browser, enabling actions such as cookie theft, session hijacking, or defacement of the page. The weakness corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via malicious input that is reflected within the user interface of the plugin. The attacker requires a user to visit a crafted URL or submit manipulated parameters that are rendered in the browser."}}}}, "created": "2026-03-20T08:57:08.413109+00:00", "updated": "2026-03-20T14:15:27.321972+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpsight", "wpsight$PRODUCT$wpcasa"]}