CVE-2025-58242

Vulnerability

Analysis

The Bg Church Memos plugin for WordPress (versions up to and including 1.1) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability, formally tracked as CVE-2025-58242. The root cause is improper neutralization of user input during web page generation, meaning the plugin fails to sanitize or escape certain data before inserting it into the Document Object Model (DOM) on the client side. [1]

Exploitation

Path

Successful exploitation requires user interaction—a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially formed form. This makes the attack feasible only if an attacker can trick a site administrator into performing the action. The vulnerability can be initiated from any role shown in the plugin's required privilege, but the final trigger depends on the victim's action. [1]

Impact

An attacker who successfully exploits this XSS can inject arbitrary HTML and JavaScript into the affected site. This could lead to malicious script execution on visitors' browsers, enabling actions such as redirecting users to phishing pages, injecting unwanted advertisements, or stealing session cookies. The CVSS v3 score of 6.5 reflects a Medium severity, indicating significant but not critical risk. [1]

Mitigation

The vendor has not released a patched version beyond 1.1, and it is unclear if the plugin remains supported. As an immediate action, users should update the plugin if a newer version becomes available. If no update is possible, site administrators should consider deactivating or replacing the plugin, or seek assistance from their hosting provider or web developer to mitigate the risk. [1]