CVE-2025-62901 is a stored Cross-site Scripting (XSS) vulnerability identified in the Tormorten WP Microdata plugin for WordPress, which is used to add structured data markup to web pages. The vulnerability stems from CWE-79: improper neutralization of input during web page generation, meaning that user-supplied input is not properly sanitized before being embedded into HTML output. This allows an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious JavaScript code that is stored persistently within the website's content. When other users visit the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS v3.1 base score is 6.5, indicating a medium severity with network attack vector (AV:N), low attack complexity (AC:L), partial confidentiality, integrity, and availability impacts (C:L/I:L/A:L), and scope change (S:C). The vulnerability affects all versions of WP Microdata up to 1.0, with no patches currently available and no known exploits in the wild. The plugin’s role in enhancing SEO and structured data makes it attractive to website administrators, increasing the likelihood of its deployment on public-facing WordPress sites. The vulnerability’s exploitation requires some level of authenticated access and user interaction, limiting but not eliminating the risk. Since the vulnerability is stored XSS, it can be leveraged for persistent attacks against site visitors or administrators, potentially leading to broader compromise if combined with other vulnerabilities or social engineering.

For European organizations, this vulnerability poses a risk primarily to websites using the WP Microdata plugin, which is common among small to medium enterprises and content-heavy sites relying on structured data for SEO benefits. Exploitation can lead to unauthorized script execution in users’ browsers, resulting in theft of session cookies, defacement, phishing, or malware distribution. This can damage brand reputation, lead to data breaches involving user credentials or personal data, and disrupt website availability. Public sector websites, e-commerce platforms, and service providers with customer-facing portals are particularly at risk. The partial compromise of confidentiality, integrity, and availability can have regulatory implications under GDPR if personal data is exposed. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the organization’s network if administrative users are targeted. The absence of known exploits currently reduces immediate risk but also means organizations should proactively address the issue before exploitation becomes widespread.

1. Immediately audit all WordPress sites to identify installations of the WP Microdata plugin and assess their version. 2. Disable or remove the WP Microdata plugin if it is not essential to website functionality or SEO strategy. 3. If the plugin is required, implement strict input validation and output encoding on all user-supplied data fields to prevent injection of malicious scripts. 4. Monitor web application logs and user activity for signs of suspicious input or unexpected script execution. 5. Apply web application firewall (WAF) rules to detect and block common XSS payloads targeting this plugin. 6. Educate site administrators and content editors about the risks of stored XSS and safe content management practices. 7. Keep WordPress core and all plugins updated, and watch for vendor patches addressing this vulnerability. 8. Restrict administrative access to trusted users and enforce multi-factor authentication to reduce the risk of privilege abuse. 9. Conduct regular security assessments and penetration testing focused on web application vulnerabilities. 10. Prepare incident response plans to quickly contain and remediate any exploitation attempts.