CVE-2025-58265

Vulnerability

Description A Stored Cross-Site Scripting (XSS) vulnerability exists in the Stonehenge Creations Events Manager – OpenStreetMaps plugin (stonehenge-em-osm) for WordPress, affecting versions from n/a through 4.2.1. The issue stems from improper neutralization of user input during web page generation, allowing arbitrary JavaScript to be stored and executed [1].

Exploitation

Requirements Exploitation requires a user with certain privileges (e.g., contributor or higher) to inject malicious payloads. However, successful execution of the stored script requires another user—such as an administrator or visitor—to interact with a crafted page or link. This user interaction is necessary for the attack to succeed [1].

Impact

An attacker can inject malicious scripts that execute when victims visit the affected site, enabling redirections, advertisement injection, or other HTML-based attacks. This can lead to session hijacking, defacement, or credential theft [1].

Mitigation

As an immediate action, users should update the plugin to a patched version if available. If updating is not possible, consider disabling the plugin or seeking assistance from a hosting provider or web developer. This vulnerability is known to be used in mass-exploit campaigns targeting WordPress sites [1].