Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a DOM‑Based Cross‑Site Scripting (XSS) flaw caused by improper neutralization of input during web page generation in WPSight WPCasa. This weakness allows an attacker to inject malicious script that is executed in the context of a victim's browser. The impact is limited to the victim's session and browser, enabling actions such as cookie theft, session hijacking, or defacement of the page. The weakness corresponds to CWE‑79.

Affected Systems

Vendor WPSight offers the WPCasa plugin, and all releases up to and including version 1.4.1 are affected. Newer releases (1.4.2 and later) have addressed the issue. No specific version range is given beyond the latest known vulnerable release.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via malicious input that is reflected within the user interface of the plugin. The attacker requires a user to visit a crafted URL or submit manipulated parameters that are rendered in the browser.

Generated by OpenCVE AI on March 19, 2026 at 09:22 UTC.

Remediation

Vendor Solution

Update the WordPress WPCasa Plugin to the latest available version (at least 1.4.2).

OpenCVE Recommended Actions

  • Update the WordPress WPCasa Plugin to version 1.4.2 or newer

Generated by OpenCVE AI on March 19, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpsight
Wpsight wpcasa
Vendors & Products Wordpress
Wordpress wordpress
Wpsight
Wpsight wpcasa

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.
Title WordPress WPCasa plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpsight Wpcasa
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-19T13:32:59.665Z

Reserved: 2025-10-07T15:34:26.392Z

Link: CVE-2025-62043

cve-icon Vulnrichment

Updated: 2026-03-19T13:32:48.121Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T09:16:16.397

Modified: 2026-03-19T13:25:00.570

Link: CVE-2025-62043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:27Z

Weaknesses