CVE-2025-58220

The Card Elements for WPBakery plugin for WordPress, versions up to and including 1.0.8, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser [1].

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The vulnerability can be triggered by a privileged user (e.g., an administrator) performing an action on the vulnerable plugin's interface. This makes it a stored or reflected XSS scenario depending on the attack vector, but the advisory specifically notes DOM-Based XSS [1].

Successful exploitation could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute when other users (including site visitors) access the affected page, potentially leading to session hijacking, defacement, or further compromise [1].

The vendor has not released a patched version beyond 1.0.8, and users are advised to update the plugin immediately. If updating is not possible, contacting the hosting provider or a web developer for mitigation is recommended. This vulnerability is noted as being used in mass-exploit campaigns [1].