CVE-2025-58646

Vulnerability

Analysis

CVE-2025-58646 describes a stored cross-site scripting (XSS) vulnerability in the Mobi2Go plugin for WordPress, affecting all versions up to and including 1.0.0. The issue stems from improper neutralization of user-supplied input during web page generation, allowing arbitrary JavaScript or HTML to be injected and permanently stored on the server. This type of vulnerability is common in plugins that fail to sanitize or escape output when rendering user-controllable data [1].

Exploitation

Attackers with low-privilege access (such as a subscriber or contributor) can inject malicious payloads via input fields that are later displayed to other users. While user interaction (e.g., clicking a link or visiting a crafted page) is required to trigger the execution, the stored nature of the payload increases the likelihood of successful exploitation. The attack does not require any special network position beyond being able to submit data to the vulnerable plugin [1].

Impact

Successful exploitation enables a threat actor to execute arbitrary scripts in the browsers of visitors or administrators. Common abuse scenarios include redirecting users to malicious sites, displaying fake advertisements, stealing session cookies, or defacing the website. Because the payload persists, every page load by any user can be affected, amplifying the potential damage. This vulnerability is frequently targeted in mass automated campaigns against WordPress sites [1].

Mitigation

The vendor has not released a patched version at the time of this advisory. The recommended immediate action is to update the plugin as soon as a fix becomes available. If an update is not possible, site administrators should disable the plugin or use a web application firewall (WAF) to block malicious input. Given the low CVSS score of 5.9, the vulnerability is considered medium severity but should still be prioritized due to the ease of exploitation and the potential for widespread attacks [1].