CVE-2025-58235

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in the Front End Users plugin for WordPress, affecting versions through 3.2.35. The issue stems from improper neutralization of input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browsers of visitors [1].

Exploitation

This stored XSS vulnerability requires user interaction. A privileged user, such as a site administrator or editor, must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. Once triggered, the injected payload persists in the application and is executed when other users (including unauthenticated visitors) access the affected page [1].

Impact

Successful exploitation enables a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, into the website. These scripts execute whenever guests visit the compromised page, potentially leading to data theft, session hijacking, or defacement. The CVSS v3 base score of 6.5 reflects the medium severity due to the requirement for user interaction and privileges [1].

Mitigation

The recommended immediate action is to update the Front End Users plugin to a patched version beyond 3.2.35. If updating is not possible, website administrators should contact their hosting provider or a web developer for assistance. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of sites independent of traffic or popularity [1].