CVE-2025-62967 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the DirectoryPress plugin developed by designinvento, affecting versions up to and including 3.6.25. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within client-side scripts that handle dynamic content. In a DOM-based XSS, the malicious payload is executed as a result of unsafe manipulation of the Document Object Model (DOM) in the victim's browser, without involving server-side script injection. This flaw allows an attacker to craft a specially crafted URL or input that, when processed by the vulnerable DirectoryPress plugin, injects and executes arbitrary JavaScript code in the context of the victim's browser session. Such execution can lead to theft of cookies, session tokens, or other sensitive information, and can enable actions such as redirecting users to malicious sites or performing unauthorized operations on behalf of the user. The vulnerability does not require authentication, increasing its risk profile. Although no known exploits are currently in the wild, the public disclosure and availability of technical details increase the likelihood of exploitation attempts. DirectoryPress is a WordPress plugin widely used for creating directory and listing websites, meaning that any organization using this plugin on their public-facing sites could be vulnerable. The absence of an official patch at the time of disclosure necessitates immediate attention to mitigation strategies to reduce exposure.

For European organizations, the impact of CVE-2025-62967 can be significant, particularly for those relying on DirectoryPress for business-critical directory or listing services. Successful exploitation can compromise user data confidentiality by stealing session cookies or credentials, leading to account takeover or unauthorized access. Integrity can be affected if attackers manipulate displayed content or perform unauthorized actions on behalf of users. Availability impact is generally limited but could occur indirectly through user distrust or follow-on attacks. Organizations in sectors such as e-commerce, local business directories, real estate listings, or event management that use DirectoryPress are at heightened risk. The vulnerability's ease of exploitation without authentication means attackers can target any visitor to affected sites, potentially leading to widespread impact. Additionally, regulatory compliance risks arise under GDPR if personal data is compromised, potentially resulting in fines and reputational damage.

1. Monitor designinvento's official channels for patches addressing CVE-2025-62967 and apply updates promptly once available. 2. Until patches are released, implement strict input validation and sanitization on all user-controllable inputs processed by DirectoryPress, focusing on client-side scripts that manipulate the DOM. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of injected code. 4. Use security plugins or web application firewalls (WAFs) capable of detecting and blocking XSS payloads targeting DirectoryPress. 5. Conduct regular security audits and penetration testing focusing on client-side vulnerabilities in WordPress plugins. 6. Educate users and administrators about the risks of clicking suspicious links and encourage the use of updated browsers with built-in XSS protections. 7. Consider temporarily disabling or restricting access to DirectoryPress-powered pages if immediate patching is not feasible and risk is high.