CVE-2025-58023

Vulnerability

Overview CVE-2025-58023 is a stored cross-site scripting (XSS) vulnerability found in the Genealogical Tree plugin for WordPress, affecting all versions through 2.2.7. The root cause is improper neutralization of input during web page generation; the plugin fails to sanitize or escape user-supplied input before storing it and later rendering it in web pages. This flaw allows a privileged user—such as an editor or administrator—to inject arbitrary HTML and JavaScript into the site's content.[1]

Exploitation

Requirements Exploitation requires an authenticated user with at least contributor-level privileges (the exact role may vary depending on the plugin's settings). The attacker submits a crafted payload through a form or field that the plugin stores in the database and later displays to other users. No direct user interaction is needed from the victim beyond visiting an affected page—the malicious script executes automatically in their browser. This makes the attack particularly suited for mass-exploit campaigns that target multiple WordPress installations at once.[1]

Impact

A successful attack allows the threat actor to inject arbitrary scripts, such as redirects, advertisements, or other HTML payloads. These scripts execute in the context of any visitor's browser, potentially leading to data theft, session hijacking, or defacement of the site. Because the injection is stored, it persists across visits and can affect all users who access the compromised page until the malicious content is removed.[1]

Mitigation

The vendor has released an updated version of the Genealogical Tree plugin (2.2.8 or later) that addresses this vulnerability. Users are strongly advised to update the plugin immediately. If updating is not possible, a temporary workaround involves restricting the roles that can contribute content or using a web application firewall to block known XSS patterns. The plugin's developer or hosting provider should be contacted for assistance.[1]