CVE-2025-62968 identifies a stored cross-site scripting (XSS) vulnerability in the WordPress plugin WP Last Modified Info, developed by Sayan Datta. The flaw stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the plugin’s output. When a user visits a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. The vulnerability affects all versions of WP Last Modified Info up to and including 1.9.2. Exploitation does not require authentication or user interaction beyond visiting the affected page, increasing its risk profile. Although no public exploits have been reported yet, the nature of stored XSS vulnerabilities makes them attractive targets for attackers aiming to compromise website visitors or administrators. The vulnerability was reserved and published in late October 2025, but no official patch or CVSS score has been released to date. The plugin is commonly used in WordPress environments to display last modified dates on posts and pages, making it prevalent in many websites globally. The lack of input sanitization or output encoding in the plugin’s code is the root cause, and remediation will require code fixes to properly neutralize input or escape output. Until patches are available, affected sites remain vulnerable to persistent script injection attacks.

For European organizations, this vulnerability can lead to significant risks including unauthorized access to user sessions, theft of sensitive information, and potential defacement or malware injection on public-facing websites. Organizations relying on WP Last Modified Info for content management may inadvertently expose their users to malicious scripts, undermining trust and compliance with data protection regulations such as GDPR. The impact extends to website availability and integrity, as attackers could manipulate site content or redirect users to malicious domains. Given the stored nature of the XSS, the attack surface includes all visitors to compromised pages, amplifying potential damage. The absence of known exploits currently provides a window for mitigation, but the widespread use of WordPress and this plugin in Europe means many organizations could be affected simultaneously if exploitation begins. The reputational damage and potential regulatory penalties for data breaches or user harm could be substantial, especially for sectors like finance, healthcare, and e-commerce that rely heavily on secure web presence.

European organizations should immediately inventory their WordPress installations to identify the presence of the WP Last Modified Info plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack vector. Implementing Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads can provide interim protection. Applying strict Content Security Policies (CSP) to restrict script execution sources can mitigate the impact of injected scripts. Website owners should also audit and sanitize any user-generated content or plugin settings that might be exploited to inject malicious code. Monitoring web logs for suspicious activity and scanning sites for injected scripts can help detect exploitation attempts early. Once a patch is available, prompt application is critical. Additionally, educating content editors and administrators on safe input practices and plugin management will reduce future risks.