CVE-2025-62937: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the WordPress plugin 'Johnny Post List Featured Image' (post-list-featured-image), tracked as CVE-2025-62937. The vulnerability affects versions through 0.5.9 and was discovered by researcher Muhammad Yudha - DJ. The issue was publicly disclosed on October 9, 2025, and was subsequently added to the National Vulnerability Database on October 26, 2025 (Wordfence, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires low privilege access and user interaction to exploit (NVD).

The vulnerability allows authenticated users with Contributor level access or higher to store and execute malicious scripts, potentially affecting the integrity of the website and compromising user data through cross-site scripting attacks (Wordfence).

Website administrators running affected versions of the Post List Featured Image plugin should update to a version newer than 0.5.9 when available. In the meantime, it is recommended to limit Contributor access and carefully monitor user permissions (Patchstack).