CVE-2025-58018

Vulnerability

Overview The Mail Subscribe List plugin for WordPress versions through 2.1.10 suffers from a stored cross-site scripting (XSS) vulnerability caused by improper neutralization of user-supplied input during web page generation [1]. This means the plugin fails to sanitize or escape input before it is stored and later displayed, allowing an attacker to inject arbitrary HTML or JavaScript payloads [1].

Exploitation

Conditions Exploitation requires a privileged user (such as an administrator) to perform some action — for example, clicking a crafted link or submitting a specially crafted form [1]. While the attacker may initiate the attack, successful injection depends on interaction from a user with the necessary roles [1]. Once the malicious payload is stored in the plugin's database, it will be executed in the browsers of any visitors to the affected page, including the administrator who triggered the storage [1].

Impact

An attacker can leverage this stored XSS to inject redirects, advertisements, or other arbitrary HTML payloads into the site [1]. The injected script could also be used to steal session cookies, deface the site, or perform other client-side attacks whenever a user visits the compromised page [1]. Because the vulnerability is stored, the malicious script persists and affects every visitor until the payload is removed.

Mitigation

The vendor has acknowledged the vulnerability, and the recommended action is to update the Mail Subscribe List plugin to a patched version (2.1.11 or later) as soon as possible [1]. If immediate update is not possible, site owners are advised to consult their hosting provider or web developer for interim security measures [1].