Cross-Site Scripting Vulnerability in Custom Post Type Attachment Plugin by aviplugins.com
CVE-2025-62907

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Custom Post Type Attachment
Vendor: CVE Published:; 27 October 2025

What is CVE-2025-62907?

The Custom Post Type Attachment plugin by aviplugins.com contains a vulnerability that allows for stored cross-site scripting (XSS) attacks. This occurs due to improper neutralization of input during web page generation, which could enable an attacker to inject malicious scripts. Users of affected plugin versions, specifically those up to version 3.4.6, are at risk, as attackers can exploit this vulnerability to manipulate user sessions or redirect users to malicious sites.

Affected Version(s)

Custom Post Type Attachment <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/cust...

vdb-entry

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 27, 2025
Vulnerability Reserved
Oct 24, 2025

Credit

Muhammad Yudha - DJ | Patchstack Bug Bounty Program

JSON