CVE-2025-58671

Vulnerability

Overview

The Auction Feed plugin for WordPress, versions n/a through 1.1.4, contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw allows an attacker to inject malicious scripts that are stored on the server and executed in the browser of any user viewing the affected page.

Exploitation

Details

Exploitation requires a privileged user to perform an action, such as clicking a malicious link or submitting a crafted form, as noted in the reference [1]. The attack vector is network-based, with low complexity and no authentication required. The vulnerability is classified as High severity with a CVSS v3 score of 7.1 [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The stored nature of the XSS means the payload persists and can affect multiple users over time.

Mitigation

The vendor has not released a patched version beyond 1.1.4; users are advised to update the plugin immediately if a fix becomes available. As a workaround, consider disabling the plugin or implementing a web application firewall (WAF) to filter malicious input. The vulnerability is part of mass-exploit campaigns targeting WordPress sites [1].