CVE-2025-58232

Vulnerability

Overview The Image Editor by Pixo plugin for WordPress, versions through 2.3.8, contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This means user-supplied data is not properly sanitized before being processed in the Document Object Model (DOM), allowing an attacker to inject arbitrary JavaScript code into the page's execution context [1].

Exploitation

Details Exploitation of this vulnerability requires a privileged user to interact with a malicious link or a crafted webpage. According to the advisory, this vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

If successfully exploited, an attacker can inject arbitrary HTML and JavaScript into a site's pages. This can result in actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information like session cookies. The injected script executes in the context of the victim's browser when they visit the affected site [1].

Mitigation

The vendor has released an update to address this issue. Users are strongly advised to update the plugin to a version newer than 2.3.8. If immediate updating is not possible, it is recommended to contact a web developer or hosting provider for assistance [1].