CVE-2025-58030

Vulnerability

Details

The WordPress Page-list plugin versions up to and including 5.8 contain a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during page generation. This flaw allows an attacker to inject arbitrary HTML or JavaScript into the plugin’s output, which is then stored on the server and executed in the browsers of visitors [1].

Exploitation

Prerequisites

Exploitation requires the attacker to have a user account with the plugin’s applicable role (often Subscriber or Contributor). No higher privileges are needed. Successful execution depends on another privileged user (e.g., an administrator) performing an action such as previewing or visiting a crafted page, or clicking a malicious link. However, the stored script will also execute automatically for any visitor to the affected page [1].

Impact

An attacker can inject malicious scripts, including redirects, advertisements, or other HTML payloads. This could lead to session hijacking, defacement, or further compromise of the site and its users. The vulnerability has a CVSS v3 base score of 6.5 (Medium) and is known to be targeted in mass-exploit campaigns [1].

Mitigation

The issue has been fixed in version 5.9 of the Page-list plugin. Users are strongly advised to update immediately. If updating is not possible, consulting a hosting provider or web developer for alternative mitigations is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].