CVE-2025-58823

Vulnerability

Overview The Get Cash plugin for WordPress (versions from n/a through 3.2.3) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This means that user-supplied data is not correctly sanitized before being stored and later displayed to other users, allowing the injection of arbitrary HTML and JavaScript code [1].

Exploitation

Prerequisites To exploit this vulnerability, an attacker must have at least a low-privileged account (such as a subscriber) on the target WordPress site. The attack requires a privileged user (e.g., an administrator) to perform an action — such as clicking a malicious link or visiting a crafted page — which triggers the stored payload. Once executed, the injected script runs in the context of the victim's browser session [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that can perform a variety of actions, such as redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing the site. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Mitigation

The vendor has released a patched version; users are strongly advised to update the Get Cash plugin to version 3.2.4 or later. If immediate updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. As of the publication date, the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].