CVE-2025-58791

Vulnerability

Overview CVE-2025-58791 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin SEO Auto Linker by Arjan Olsder, affecting versions from n/a through 1.5.3. The root cause is improper neutralization of user input during web page generation, allowing an attacker to store malicious scripts that execute when other users visit the affected page [1].

Exploitation

Prerequisites Exploitation requires a privileged user role (e.g., administrator) to initiate the attack, but successful execution also requires a victim (such as another admin or site visitor) to interact with the crafted content — for example, by clicking a malicious link or visiting a specially prepared page. This user interaction is factored into the CVSS v3 base score of 5.9 (Medium) [1].

Impact

Impact

If exploited, an attacker can inject arbitrary HTML and JavaScript payloads, such as redirects, advertisements, or other scripts, into the website. These payloads execute in the browsers of visitors, potentially leading to session hijacking, defacement, or further compromise of the site [1].

Mitigation

The vendor has not released a patch for versions beyond 1.5.3; users are advised to update the plugin immediately if a newer version is available. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. This vulnerability is noted as being used in mass-exploit campaigns, underscoring the urgency of remediation [1].