CVE-2025-58653

Vulnerability

Overview

The JSM file_get_contents() Shortcode plugin for WordPress (versions 2.7.1 and earlier) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows the injection of arbitrary HTML and JavaScript code that gets stored on the server and executed in the browser of any visitor accessing the affected page.

Exploitation and

Requirements

Attackers can exploit this vulnerability by injecting malicious scripts through the shortcode functionality, which is triggered when a privileged user (such as an admin or editor) performs an action like clicking a crafted link or submitting a specially formatted form [1]. The stored payload then executes automatically when any guest visits the compromised page, requiring no further interaction from the victim.

Impact and

Risk

Successful exploitation enables an attacker to inject payloads such as redirects, advertisements, or other arbitrary HTML content. According to the Patchstack advisory, this vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1]. The CVSS v3 base score of 6.5 reflects a medium severity, with network attack vector, low complexity, and changed scope [1].

Mitigation

Users are strongly advised to update the JSM file_get_contents() Shortcode plugin to a patched version (beyond 2.7.1) as an immediate action [1]. If an update is not possible, administrators should seek assistance from their hosting provider or a web developer to implement alternative safeguards.