CVE-2025-58691

Vulnerability

Overview The Genesis Club Lite plugin for WordPress, versions up to and including 1.17, contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables attackers to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users access the affected page.

Exploitation

Conditions Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a malicious link or submitting a crafted form [1]. While the attack originates from an authenticated user with certain privileges, the injected script executes in the browser of any visitor, including unauthenticated users, making it a stored XSS attack.

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions such as redirecting visitors to phishing sites, displaying unauthorized advertisements, or stealing session cookies [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting WordPress sites [1].

Mitigation

The vulnerability is addressed in a newer version of the plugin; users are strongly advised to update to the latest available release [1]. If an immediate update is not possible, consider implementing a Web Application Firewall (WAF) or temporarily disabling the plugin until patched.