CVE-2025-62967 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the DirectoryPress plugin developed by designinvento, affecting versions up to and including 3.6.25. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows malicious scripts to be injected and executed in the context of a victim's browser. Specifically, the flaw is in the handling of input that is incorporated into the Document Object Model (DOM) without adequate sanitization or encoding, enabling attackers to craft URLs or input parameters that trigger script execution when processed by the plugin. This can lead to unauthorized actions such as session hijacking, theft of sensitive information, or manipulation of the web application's behavior. The CVSS 3.1 base score is 6.5, reflecting a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, requiring low privileges but user interaction, and with a scope change indicating that the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. DirectoryPress is a WordPress plugin used to create directory and listing websites, which are often public-facing and may handle sensitive user data or business information, increasing the risk profile of this vulnerability.

For European organizations, the impact of this vulnerability can be significant, especially for those operating directory or listing websites using DirectoryPress. Successful exploitation could lead to unauthorized access to user sessions, theft of personal or business data, and potential defacement or manipulation of website content. This undermines user trust and could lead to regulatory non-compliance under GDPR due to data breaches. The availability of the service could also be affected if attackers leverage the vulnerability to perform denial-of-service or redirect users to malicious sites. Given the widespread use of WordPress and its plugins in Europe, organizations in sectors such as e-commerce, local business directories, tourism, and public services that rely on DirectoryPress are particularly at risk. The medium severity rating suggests that while the vulnerability is not critical, it still poses a tangible threat that could be exploited by attackers with moderate skills, especially if combined with social engineering to induce user interaction.

1. Monitor for and apply official patches or updates from designinvento as soon as they become available to remediate the vulnerability. 2. In the absence of patches, implement strict input validation and output encoding on all user-supplied data processed by DirectoryPress, especially those incorporated into the DOM. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Conduct regular security audits and penetration testing focusing on web application vulnerabilities, including DOM-based XSS. 5. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content that could trigger the vulnerability. 6. Consider using Web Application Firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting DirectoryPress. 7. Limit plugin usage to only necessary components and disable or remove unused features that may increase the attack surface. 8. Maintain regular backups and incident response plans to quickly recover from any successful exploitation.