CVE-2025-58260

The Highlight and Share plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker with low privileges to inject arbitrary web scripts or HTML into pages, which are then stored and executed when other users view the affected content.

Exploitation requires an authenticated user with at least contributor-level access to the WordPress site. The attacker can inject malicious scripts via the plugin's input fields, and upon subsequent visits by other users (including administrators), the script executes in the context of the victim's browser [1]. No direct user interaction from the victim is needed beyond visiting the affected page.

Successful exploitation can lead to a range of impacts, including session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The CVSS v3 score of 6.5 indicates moderate severity [1].

The vulnerability is patched in version 5.2.0 and later. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update, it is recommended to consult with a web developer or hosting provider for alternative mitigation [1].