Knowledge Base documentation & wiki plugin – BasePress < 2.17.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-62761 | Plugin Vulnerabilities

Description

The Knowledge Base documentation & wiki plugin – BasePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.17.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 2.17.0.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/fe5a963c-df35-4e6e-a381-10e0eb638304

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Yudha - DJ

Verified

No

WPVDB ID

a7978196-5a42-4d0e-bfd5-228edee642ef

Timeline

Publicly Published

2025-12-31 (about 5 months ago)

Added

2026-01-05 (about 4 months ago)

Last Updated

2026-01-13 (about 4 months ago)

Other

Published

Title

Published

2025-04-24

Title

COVID-19 (Coronavirus) Update Your Customers <= 1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-09-24

Title

CubeWP Forms – All-in-One Form Builder < 1.1.2 - Unauthenticated Stored Cross-Site Scripting

Published

2023-10-18

Title

Gumroad <= 3.1.0 - Contributor+ Stored XSS

Published

2024-07-08

Title

Webico Slider Flatsome Addons <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wbc_image Shortcode

Published

2025-01-07

Title

Able Player <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting