CVE-2025-58645

The Gravitate Automated Tester plugin for WordPress, version 1.4.5 and earlier, suffers from a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This means the plugin fails to sanitize or escape input that is later displayed, allowing an attacker to inject arbitrary HTML or JavaScript code that persists on the server.

Exploitation

An attacker with author-level privileges or higher can inject malicious scripts via input fields that are stored and later rendered to other users, including site visitors. Successful exploitation does not require direct user interaction from the victim, but the injected payload executes automatically when the page is loaded. The vulnerability can be initiated by a user with the required role, and no additional authentication bypass is needed.

Impact

If exploited, the attacker can inject arbitrary scripts such as redirects, advertisements, or other HTML payloads. These scripts would run in the context of the victim's browser when they visit the affected page, potentially leading to session hijacking, defacement, or phishing attacks. The CVSS v3 base score of 5.9 indicates a medium severity due to the requirement for some level of access and the need for the script to execute in the context of the victim's session.

Mitigation

The vendor has issued updates beyond version 1.4.5 that address the vulnerability. Users are strongly advised to update the plugin to the latest available version. If unable to update immediately, site administrators should restrict access to the plugin's features to trusted users only. According to Patchstack, this type of vulnerability is frequently used in mass-exploit campaigns [1].