CVE-2025-58031

The Nextend Facebook Connect plugin for WordPress (versions up to 3.1.19) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users view the affected page.

Exploitation requires a privileged user (e.g., with contributor or higher role) to perform an action such as clicking a malicious link or submitting a crafted form [1]. The attacker does not need direct access to the site but can trick an authenticated user with sufficient privileges into triggering the payload. The vulnerability is classified as medium severity (CVSS 6.5) and is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Successful exploitation allows the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when visitors access the compromised page [1]. This can lead to defacement, data theft, or further compromise of the site.

The vulnerability is patched in version 3.1.20 of the plugin [1]. Users are strongly advised to update immediately. If unable to update, they should seek assistance from their hosting provider or web developer. Patchstack users can enable auto-updates for vulnerable plugins [1].