CVE-2025-58257

CVE-2025-58257 describes a Stored Cross-Site Scripting (XSS) vulnerability in the Verowa Connect WordPress plugin by Picture-Planet GmbH. The issue stems from improper neutralization of user-supplied input during web page generation, as detailed in the official description. This weakness affects all plugin versions from n/a through 3.2.3 [1].

The vulnerability can be exploited by an authenticated user with sufficient privileges (e.g., an editor or administrator) who injects malicious script payloads into fields that are later rendered on the site. Successful exploitation requires the attacker to have a privileged role, and the stored script will execute when other users or visitors access the affected page(s) [1]. No additional user interaction beyond the initial injection is required for the payload to persist.

Impact includes the ability to inject arbitrary HTML and JavaScript, which could be used to redirect visitors, display advertisements, steal session cookies, or perform other client-side attacks. The CVSS v3.1 base score is 6.5 (Medium), reflecting the need for authenticated access but the significant consequence to the site's visitors [1].

The vendor has addressed the flaw in version 3.3.0 of the plugin. Users are strongly advised to update to 3.3.0 or later, which resolves the vulnerability. Patchstack users may enable auto-updates for affected plugins. As with many WordPress plugin vulnerabilities, timely updating is the primary mitigation against potential exploitation [1].