CVE-2025-58271

Vulnerability

The AnyClip Luminous Studio plugin for WordPress versions up to and including 1.3.3 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows authenticated users with contributor-level access or above to inject arbitrary JavaScript code that is stored on the server and executed when other users view the affected page [1].

Exploitation

Exploitation requires the attacker to have at least contributor-level permissions to submit the malicious payload. However, successful execution depends on another privileged user, such as an administrator, visiting the compromised page. This makes it a stored XSS that can be triggered through normal administrative actions, increasing the likelihood of widespread impact [1].

Impact

An attacker can inject scripts that perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information like cookies and session tokens. Because the payload persists on the server, it can affect all subsequent visitors, making this vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has released a patch for this vulnerability. Users are strongly advised to update the AnyClip Luminous Studio plugin to the latest available version immediately. If an immediate update is not possible, it is recommended to seek assistance from a hosting provider or web developer to implement temporary workarounds [1].