CVE-2025-58240

Vulnerability

Overview The xili-tidy-tags plugin for WordPress (versions up to and including 1.12.06) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This means that the plugin fails to sanitize or escape certain inputs before storing them in the database, allowing malicious scripts to be saved and later executed when other users view the affected pages.

Exploitation

Details An attacker with the required privilege level (likely a WordPress user with roles such as Author or higher) can inject malicious JavaScript or HTML into the application [1]. The attack requires user interaction from a privileged user—such as clicking a link, visiting a crafted page, or submitting a form—to trigger the stored payload. Once stored, the malicious script executes automatically in the browsers of visitors or other users who access the compromised content, without needing any further interaction from those victims.

Impact

Successful exploitation enables the attacker to inject arbitrary HTML and JavaScript payloads, including redirects, advertisements, and other script-based attacks [1]. This can lead to session hijacking, defacement, theft of sensitive data (e.g., cookies or login tokens), and further compromise of the WordPress site and its users. The vulnerability is suitable for mass-exploitation campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The plugin vendor has released a fix; users must update xili-tidy-tags to version 1.12.07 or later [1]. If immediate update is not possible, website administrators should contact their hosting provider or a web developer for assistance and consider implementing additional security controls such as a Web Application Firewall (WAF) to block XSS attempts. The vulnerability is rated Medium (CVSS 6.5) and requires prompt attention [1].