CVE-2025-58266

Vulnerability

Overview CVE-2025-58266 is a stored cross-site scripting (XSS) vulnerability in the Gianism WordPress plugin by Fumiki Takahashi, affecting versions from n/a through 6.0.0. The root cause is improper neutralization of user-supplied input during web page generation, allowing stored injection of arbitrary HTML and JavaScript [1].

Attack

Vector Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a crafted link or submitting a form, after which the malicious payload is stored and later executed in the browsers of visitors [1]. The vulnerability is classified as medium severity (CVSS v3 base 5.9) and does not require authentication for the stored payload, only for initial injection by a privileged role.

Impact

A successful attack enables an actor to inject malicious scripts—such as redirects, advertisements, or other HTML payloads—that execute when guests visit the affected website. This can lead to defacement, phishing, or malware distribution, and is noted to be frequently used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

Users are strongly advised to update the Gianism plugin immediately to a patched version. If updating is not possible, contact your hosting provider or a web developer for assistance. The vulnerability is publicly documented, and no workaround beyond patching has been provided [1].