WordPress is a content management system paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.

WordPress

The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-14977	HIGH	8.1	WordPress	dokan-lite	No	Yes	Jan 20, 2026
CVE-2025-14348	MEDIUM	5.3	WordPress	wemail	No	Yes	Jan 20, 2026
CVE-2026-1045	MEDIUM	4.4	WordPress	viet-contact	No	No	Jan 20, 2026
CVE-2026-1042	MEDIUM	4.4	WordPress	wp-hello-bar	No	No	Jan 20, 2026
CVE-2025-12573	N/A	N/A	WordPress	bookingor	No	No	Jan 20, 2026

CVE-2025-0862:
WordPress vulnerability analysis and mitigation

Overview

Technical details

Mitigation and workarounds

Additional resources

4.9

Related WordPress vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2025-0862: WordPress vulnerability analysis and mitigation