CVE-2025-58832

The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the 'Search by Google' WordPress plugin, identified as CVE-2025-58832. The plugin fails to properly neutralize user input during web page generation, allowing a contributor-level user to inject arbitrary web scripts or HTML. This improper neutralization is the root cause [1].

Exploitation requires a privileged user with at least 'Contributor' role to perform an action such as clicking a malicious link or visiting a crafted page [1]. The injected payload is stored in the application and subsequently executed in the browsers of visitors. Because the attack originates from an authenticated user, but does not require Administrator privileges, the attack surface remains significant.

The impact includes the ability to inject malicious scripts, such as redirects, advertisements, and other HTML payloads. These scripts execute when any guest visits the compromised site, potentially leading to site defacement, credential theft via phishing, or other malicious activities [1].

As of the publication date, the vulnerability affects all versions up to and including 1.9. Users are strongly advised to update the plugin immediately. Workarounds are not described; if updating is not possible, consulting a hosting provider or web developer is recommended [1].