CVE-2025-58805

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in the Widgetize Pages Light plugin for WordPress, affecting versions through 3.0. The issue stems from insufficient sanitization of user-supplied input, enabling stored cross-site scripting (XSS) attacks [1].

Exploitation requires a privileged user role, such as an editor or administrator, to perform an action like submitting a form or clicking a crafted link. The attacker must first inject the malicious script, which is then stored and executed when other users (including visitors) access the affected page [1].

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript payloads, including redirects, advertisements, or other malicious scripts. These scripts execute in the browser of any visitor viewing the compromised page, potentially leading to session hijacking, defacement, or further attacks [1].

The vendor has not released a patched version; the plugin remains vulnerable. As an immediate measure, users should disable or remove the plugin. If possible, ask a hosting provider or web developer for assistance [1]. The vulnerability has a CVSS v3 base score of 5.9 (Medium), and while not yet listed on CISA's Known Exploited Vulnerabilities catalog, similar XSS issues are frequently used in mass exploitation campaigns [1].