CVE-2025-58237

The LC Wizard (ghl-wizard) plugin for WordPress versions up to and including 2.2.4 contains a stored cross-site scripting (XSS) vulnerability in how it handles input during page generation. The plugin fails to properly neutralize user-controllable input, allowing malicious script content to be persisted within the application [1].

Exploitation requires a privileged user account (e.g., with contributor-level access or higher) to inject the script payload via a vulnerable input field. User interaction is also required on the part of another privileged user, such as an administrator, who must perform an action (like clicking a link or submitting a form) that triggers the stored payload [1].

If successfully exploited, an attacker can inject arbitrary JavaScript, HTML, or other client-side code. This can lead to redirections to malicious sites, display of unauthorized advertisements, theft of session cookies, or defacement of the WordPress site when any visitor loads the compromised page [1].

As of the advisory, the recommended mitigation is to update the LC Wizard plugin to the latest patched version (2.3.0 or higher). Users unable to update immediately should request assistance from their hosting provider or a web developer [1].