CVE-2025-58651

Vulnerability

Overview

The PlayerJS plugin for WordPress version 2.24 and earlier contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This security flaw enables an attacker to inject arbitrary JavaScript code that executes in the context of a victim's browser [1].

Exploitation

Details

To exploit this vulnerability, a privileged user must perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. No direct authentication is required for the attacker beyond the initial vector, but successful exploitation depends on tricking an authorized user into interacting with malicious content [1]. The attack surface includes any WordPress website running the affected plugin version.

Impact

An attacker can inject malicious scripts that execute when site visitors access the affected page. Common payloads include redirects to malicious sites, unwanted advertisements, or other HTML content designed to steal credentials, deploy malware, or deface the site. This vulnerability is listed in the Patchstack database and is known to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

As an immediate protective measure, administrators should update the PlayerJS plugin to a patched version. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended. Since the plugin is vulnerable up to version 2.24, any installation using that version or older should be considered at risk [1].