CVE-2025-58227

Vulnerability

Overview

The Podlove Subscribe button plugin for WordPress (versions up to and including 1.3.11) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with sufficient privileges to inject arbitrary web scripts or HTML into pages served by the plugin.

Exploitation

Requirements

Exploitation requires user interaction from a privileged user, such as clicking a malicious link or visiting a crafted page [1]. The attack is initiated through the plugin's administrative interface, where unsanitized input is stored and later rendered to site visitors, leading to script execution in their browsers.

Impact

Successful exploitation allows an attacker to inject payloads including redirects, advertisements, or other HTML/JavaScript content [1]. These scripts execute when any guest visits the affected site, enabling campaigns that target thousands of websites regardless of traffic size or popularity [1].

Mitigation

The vulnerability is resolved in version 1.3.12, and users are strongly advised to update immediately [1]. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].