CVE-2025-58683
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Luke Mlsna Last Updated Shortcode last-updated-shortcode allows Stored XSS.This issue affects Last Updated Shortcode: from n/a through <= 1.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in the WordPress Last Updated Shortcode plugin (<=1.0.1) allows authenticated attackers to inject malicious scripts.
The Last Updated Shortcode plugin for WordPress (versions up to 1.0.1) suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during shortcode output. This allows an attacker to inject arbitrary web scripts or HTML that will be stored and executed whenever a user views the affected page [1].
Exploitation requires the attacker to have at least contributor-level access to the WordPress site. The attacker can craft a shortcode containing malicious JavaScript, which is then executed in the browsers of other users, including administrators and visitors [1].
Successful exploitation enables the attacker to perform actions such as injecting redirects, displaying advertisements, or stealing session cookies, potentially leading to further compromise [1].
The vendor has not released a patched version; users are advised to update the plugin as soon as a fix becomes available. As a workaround, consider removing or disabling the plugin until an update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.0.1+ 1 more
- (no CPE)range: <=1.0.1
- (no CPE)range: <= 1.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.