CVE-2025-58826

Vulnerability

Overview

The WP Publication Archive plugin for WordPress, versions 3.0.1 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML into the plugin's publication archive pages.

Exploitation

Details

To exploit this vulnerability, an attacker must first have a WordPress user account with at least the Contributor role. The attacker then crafts a malicious payload within a publication entry's title or content fields. When a site administrator or other privileged user views the affected archive page, the injected script executes in their browser session. This user interaction requirement is reflected in the CVSS-mandated and is reflected in the Medium (6.5) severity score [1].

Impact

Successful exploitation enables the attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies. Because the injected script is stored in the database, it affects every visitor who views the compromised archive page, making it suitable for mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version as of the publication date. The recommended immediate action is to update the plugin to a version newer than 3.0.1 if available, or to disable the plugin until a fix is released. Site administrators unable to update should consider disabling the plugin or restricting contributor-level user accounts as a temporary workaround [1].