CVE-2025-58021

Vulnerability

Details CVE-2025-58021 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin List Child Pages Shortcode, versions 1.3.1 and earlier. The root cause is improper neutralization of user-supplied input during web page generation. As a result, an attacker with contributor-level or higher privileges can inject arbitrary JavaScript or HTML payloads that are stored on the server and executed when an administrator or visitor views the affected page [1].

Exploitation and

Attack Surface Exploitation requires the attacker to have the ability to create or edit content on the WordPress site (e.g., an authenticated contributor). The vulnerability is triggered when the stored input is rendered by the plugin's shortcode. While some user interaction may be needed (e.g., an admin visiting the crafted page), the payload can lead to persistent compromise of the site's frontend. The referenced advisory notes that automated mass-exploit campaigns often target this class of vulnerability [1].

Impact

Successful exploitation could allow an attacker to execute malicious scripts in the context of the victim's browser. This can be used to steal session cookies, redirect users to malicious sites, display unwanted advertisements, or deface the site. Because the script is stored, every visitor to the affected page becomes a potential victim [1].

Mitigation

The vendor has released version 1.4.0, which fixes the vulnerability by properly sanitizing input. Users are strongly advised to update to this version immediately. For Patchstack subscribers, enabling auto-update will protect against this and future vulnerabilities [1].