CVE-2025-58212

Vulnerability

Overview The Epeken All Kurir plugin for WordPress, versions up to and including 2.0.1, contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-controlled input during web page generation [1]. This vulnerability is classified under CWE-79 and has a CVSS v3 score of 6.5 (Medium).

Exploitation

Details An attacker could exploit this vulnerability without requiring any special privileges, though user interaction is needed — a victim with privileged access must click a malicious link, visit a crafted page, or submit a specially crafted form [1]. The attack can be initiated by an unauthenticated user, making it accessible to a wide range of threat actors. The DOM-based nature means the payload is executed client-side via script manipulation rather than server-side reflection.

Impact

Successful exploitation allows an attacker to inject arbitrary malicious scripts into the affected web page, which then execute in the browser of any visitor [1]. This could lead to redirects, injected advertisements, data theft, or other harmful actions within the context of the victim's session on the WordPress site. Such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of websites simultaneously.

Mitigation

The vendor has released version 2.0.2 which fixes the vulnerability [1]. Users are strongly advised to update immediately or enable automatic updates for vulnerable plugins. If updating is not possible, consulting a hosting provider or web developer for interim security measures is recommended [1].