CVE-2025-58654

Vulnerability

Overview The xili-language plugin for WordPress, up to version 2.21.3, contains a DOM-based Cross-site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript payloads into the DOM of a victim's browser.

Exploitation

Conditions Exploitation requires user interaction, such as clicking a crafted link or visiting a malicious page while authenticated as a privileged user [1]. The attack surface is typical for plugin-based XSS; the attacker does not need direct access to the site files, but must trick a user into performing an action.

Impact

A successful attack enables the attacker to execute arbitrary scripts in the context of the victim's session. This can be used to redirect visitors, inject advertisements, or deliver other HTML payloads [1]. Such vulnerabilities are commonly leveraged in mass-exploit campaigns targeting WordPress sites.

Mitigation

Users are strongly advised to update the xili-language plugin to the latest patched version immediately. If an update is not possible, contact your hosting provider or web developer for assistance [1]. No workaround details have been provided.