CVE-2025-58263

Vulnerability

Overview

The BuddyPress Notification Widget plugin for WordPress versions up to and including 1.3.3 contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker with sufficient privileges to inject arbitrary HTML and JavaScript code into the widget's output, which is then stored and executed in the browsers of other users who visit the affected page.

Exploitation

Requirements

Exploitation requires a user with at least the role specified in the plugin's settings to be able to submit or save data that is later rendered without sanitization. While the vulnerability can be initiated by an authenticated user, successful execution of the injected script depends on another user (such as an administrator or site visitor) interacting with the crafted content, for example by viewing a page containing the malicious widget [1].

Impact

A successful attack allows the threat actor to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying unwanted advertisements, or stealing session cookies and other sensitive data. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Mitigation

The vendor has not released a patched version beyond 1.3.3; users are advised to update the plugin immediately if a newer version becomes available. If an update is not possible, site owners should consider disabling the plugin or implementing a web application firewall rule to block malicious payloads. Given the active exploitation risk, immediate action is recommended [1].