VR < 8.5.49 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-62885 | Plugin Vulnerabilities

Description

The VR plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 8.5.48 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 8.5.49

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/28585718-9678-48a0-bd70-338d9f20bee4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

776a4c3b-2d0a-4259-99dd-18add676d710

Timeline

Publicly Published

2025-06-27 (about 11 months ago)

Added

2025-12-11 (about 6 months ago)

Last Updated

2025-12-12 (about 6 months ago)

Other

Published

Title

Published

2024-08-16

Title

Bold Timeline Lite < 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-19

Title

Back Button Widget < 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-05-09

Title

Team Circle Image Slider With Lightbox < 1.0.18 - Reflected Cross-Site Scripting

Published

2025-01-21

Title

Stackable – Page Builder Gutenberg Blocks < 3.13.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-15

Title

Royal Elementor Addons and Templates < 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget