CVE-2025-58786

The Ibtana – Ecommerce Product Addons plugin for WordPress (versions up to and including 0.4.7.6) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation requires user interaction—a privileged user must click a malicious link, visit a crafted page, or submit a specially crafted form. The attack does not require authentication, meaning any unauthenticated visitor can be targeted if they perform the required action is performed [1].

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser. This can be used to redirect users to malicious sites, display unauthorized advertisements, or inject other HTML payloads, potentially leading to further compromise of the affected WordPress site [1].

As of the advisory, the vulnerability is unpatched in the affected versions. Users are strongly advised to update the plugin to the latest available version. If updating is not immediately possible, contacting the hosting provider or a web developer for mitigation assistance is recommended [1].