Cross-site Scripting Vulnerability in Simple Payment by Ido Kobelkowsky
CVE-2025-62076

7.1HIGH

Key Information:

Vendor: WordPress
Status: Simple Payment
Vendor: CVE Published:; 6 November 2025

What is CVE-2025-62076?

The Simple Payment plugin for WordPress, developed by Ido Kobelkowsky, has a vulnerability that allows for improper neutralization of input during web page generation, leading to potential Cross-site Scripting (XSS) attacks. This vulnerability affects versions up to 2.4.6 of the plugin, allowing malicious users to inject arbitrary web scripts into pages viewed by other users. This can lead to unauthorized actions, data theft, and compromise of user sessions. Ensuring your plugins are updated and implementing best security practices is essential to mitigate such risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Simple Payment <= n/a

References

https://patchstack.com/database/Wordpress/Plugin/simple-p...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 6, 2025
Vulnerability Reserved
Oct 7, 2025

Credit

Nguyen Xuan Chien | Patchstack Bug Bounty Program

JSON

WordPress