CVE-2025-58674
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in WordPress core menu functionality, fixed in 6.8.3, requires Author-level privileges.
Vulnerability
Overview
A stored cross-site scripting (XSS) vulnerability exists in WordPress core versions 4.7 through 6.8.2, caused by improper neutralization of input during web page generation. The flaw affects the navigation menus functionality, allowing an attacker with at least Author-level privileges to inject malicious scripts that persist on the server [1].
Exploitation
Requirements
An attacker must have an authenticated user account with Author or higher role permissions to exploit this vulnerability. The attack vector involves crafting a malicious menu item or navigation label containing XSS payloads, which is then stored and executed when administrators or other users view the affected menu pages [1]. No additional privileges or complex chaining are required beyond the authenticated user role.
Impact
Successful exploitation could allow the attacker to execute arbitrary JavaScript in the context of the WordPress admin interface or public-facing site, depending on where the malicious menu content appears. This could lead to session hijacking, defacement, or redirection of users to malicious sites. The CVSS base score of 5.9 (Medium) reflects the need for authenticated access and the potential for partial compromise [1].
Mitigation
WordPress 6.8.3, released on September 23, 2025, addresses this vulnerability. The security update patches all affected branches down to version 4.7, which are still eligible for security fixes. Users are strongly advised to update immediately from the WordPress Dashboard or by downloading the latest version. No known workarounds exist apart from restricting Author and higher roles to trusted users [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=4.7,<=6.8.2+ 1 more
- (no CPE)range: >=4.7,<=6.8.2
- (no CPE)range: >=4.7, <=6.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.