CVE-2025-58830

Vulnerability

Overview

The Parallax Scrolling Enllax.js WordPress plugin versions 0.0.6 and below contain a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows authenticated users with sufficient privileges to inject arbitrary web scripts or HTML into the application's pages [1].

Exploitation

Details

Exploitation requires a privileged user to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. Once triggered, the injected script is stored on the server and executed when other users (including site visitors) access the affected page [1].

Impact

A successful attack could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website. These scripts execute when guests visit the site, potentially leading to data theft, defacement, or further compromise [1].

Mitigation

The vendor has not released a patched version. Immediate action is to update the plugin if a fix becomes available. If unable to update, users should contact their hosting provider or web developer for assistance. This vulnerability is known to be used in mass-exploit campaigns [1].