CVE-2025-58017

Vulnerability

Overview

CVE-2025-58017 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Ultimate Store Kit Elementor Addons plugin for WordPress, affecting versions from n/a through 2.8.6. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary JavaScript or HTML into the application's output [1].

Exploitation

Details

To exploit this vulnerability, an attacker must have a privileged user role (e.g., Editor or Administrator) that can interact with the plugin's settings or content fields. The attack requires user interaction, such as clicking a malicious link or submitting a crafted form, which triggers the stored payload. Once the payload is saved, it will be executed when any visitor accesses the affected page [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, into the website. These scripts execute in the context of the victim's browser, potentially leading to session hijacking, defacement, or phishing attacks against site visitors [1].

Mitigation

The vendor has released version 2.8.7 which resolves the vulnerability. Users are strongly advised to update to this version or later. For those unable to update immediately, enabling auto-updates for vulnerable plugins (e.g., via Patchstack) is recommended as a temporary measure [1].