Medium severity6.5NVD Advisory· Published Sep 22, 2025· Updated Apr 23, 2026

CVE-2025-58008

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xnau webdesign Participants Database participants-database allows Stored XSS.This issue affects Participants Database: from n/a through <= 2.7.6.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Participants Database plugin ≤2.7.6.3 allows attackers to inject malicious scripts via improper input neutralization.

Vulnerability

Overview

The vulnerability is a Stored Cross-Site Scripting (XSS) in the WordPress plugin Participants Database, versions n/a through 2.7.6.3. The root cause is improper neutralization of user-supplied input during web page generation, allowing arbitrary HTML and JavaScript to be stored and later executed in the context of other users' browsers [1].

## Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a crafted link or submitting a form, but the injected payload persists and executes when any visitor accesses the affected page. No authentication is needed for the stored payload to trigger on subsequent page loads [1].

## An attacker can inject malicious scripts that may redirect visitors, display advertisements, or deliver other HTML payloads. This can lead to defacement, data theft, or further compromise of the site and its users [1].

## The vendor has released version 2.7.7 which resolves the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. The vulnerability is considered low severity but is known to be used in mass-exploit campaigns [1].

References

Cross Site Scripting (XSS) in WordPress Participants Database Plugin

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Roland Barker, Xnau Webdesign/Participants Databasellm-fuzzy
Range: <=2.7.6.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/participants-database/vulnerability/wordpress-participants-database-plugin-2-7-6-3-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000