CVE-2025-58808

Vulnerability

Overview

CVE-2025-58808 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin prettyPhoto, affecting versions through and including 1.2.5. The root cause is improper neutralization of user-supplied input during web page generation, allowing attackers to inject arbitrary JavaScript that gets permanently stored on the server and executed in the browsers of visitors. [1]

Exploitation

Details

To exploit this flaw, an attacker must have a privileged user role—typically a contributor or higher—that allows them to input content processed by the plugin. The stored script is triggered when any user (including administrators) visits the compromised page, without requiring them to click a crafted link. The attack requires user interaction only in the sense that a privileged user must first submit the malicious input. [1]

Impact

Successful exploitation enables an attacker to inject scripts that can steal session cookies, redirect visitors to malicious sites, display unwanted advertisements, or perform other actions within the security context of the victim's browser. Because the payload is stored, every subsequent visitor to the affected page may be impacted. [1]

Mitigation

The vendor has not released a patched version, and users are advised to update the plugin to a fixed version once available. As an immediate workaround, site administrators should disable or remove the prettyPhoto plugin if it is not required, or restrict contributor privileges to trusted users. The vulnerability is listed in the Patchstack database, indicating it may be targeted in automated exploitation campaigns. [1]