CVE-2025-58216

Vulnerability

Overview

The WP Thumbtack Review Slider plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users, including site visitors, access the affected page.

Exploitation

Details

Exploitation requires an authenticated user with sufficient privileges, such as a contributor or author, to inject the malicious payload through the plugin's input fields [1]. The vulnerability is classified as stored XSS, meaning the injected script persists and triggers automatically without requiring additional user interaction from the victim beyond viewing the compromised page.

Impact

A successful attack enables the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, injection of unwanted advertisements, or theft of sensitive information such as cookies and authentication tokens [1]. The CVSS score of 5.9 reflects the medium severity, though the vendor notes that mass exploitation campaigns often target such vulnerabilities.

Mitigation

The vulnerability affects all versions up to and including 2.6. Users are strongly advised to update to version 2.7 or later, which contains the fix [1]. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection.