CVE-2025-62885 is a DOM-based Cross-site Scripting (XSS) vulnerability found in the RexTheme WP VR WordPress plugin, affecting all versions up to 8.5.42. The vulnerability stems from improper neutralization of user input during web page generation, which allows malicious scripts to be injected into the Document Object Model (DOM) of the affected web pages. Unlike reflected or stored XSS, DOM-based XSS occurs entirely on the client side, where the injected script is executed by the victim’s browser when processing manipulated input or URL parameters. This can lead to unauthorized script execution, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious websites. The vulnerability does not require user authentication, increasing its risk profile. Although no public exploits have been reported yet, the widespread use of WordPress and the popularity of the WP VR plugin for virtual reality content presentation make this a notable threat. The lack of a CVSS score indicates that the vulnerability is newly published, with patch availability currently unknown. The vulnerability was reserved and published in late October 2025, indicating recent discovery and disclosure. The absence of patches or mitigations from the vendor at this time necessitates immediate defensive measures by administrators.

For European organizations, this vulnerability can lead to significant security risks including theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and potential defacement or redirection of websites. Organizations using WP VR to showcase virtual reality content on WordPress sites may expose their visitors and internal users to malicious scripts, undermining trust and potentially leading to data breaches or reputational damage. The impact is particularly critical for sectors relying on secure customer interactions such as e-commerce, government portals, and online services. The vulnerability’s client-side nature means that any user visiting a compromised or maliciously crafted URL could be affected, broadening the scope of impact. Additionally, the lack of authentication requirement lowers the barrier for attackers to exploit this vulnerability at scale. Given the plugin’s niche but growing use in immersive content delivery, organizations that have integrated WP VR into their digital experience platforms are at elevated risk.

1. Monitor RexTheme’s official channels for security patches and apply updates to WP VR immediately once a fix is released. 2. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of DOM-based XSS. 3. Employ web application firewalls (WAFs) with rules tailored to detect and block suspicious input patterns related to XSS attacks targeting WP VR. 4. Conduct input validation and sanitization on all user-supplied data, especially URL parameters and dynamic content rendered by WP VR. 5. Educate site administrators and developers about the risks of DOM-based XSS and encourage regular security audits of WordPress plugins. 6. Consider temporarily disabling or replacing the WP VR plugin if immediate patching is not feasible and the risk is unacceptable. 7. Use browser security features such as HTTPOnly and Secure flags on cookies to mitigate session theft risks. 8. Review and limit plugin permissions and capabilities to minimize attack surface.