CVE-2025-58834

The short.io WordPress plugin (wp-shortcm) suffers from a DOM-based Cross-Site Scripting (XSS) vulnerability in versions through 2.4.2. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript that executes in the context of the victim's browser.

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a crafted link or visiting a specially prepared page [1]. The attack is user-interactive, meaning the attacker must trick a legitimate user into triggering the payload. No authentication is required for the initial injection, but the payload executes only when a privileged user interacts with the crafted input.

If successfully exploited, an attacker can inject malicious scripts that execute when visitors load the affected page. This may lead to redirects, display of unwanted advertisements, theft of session tokens, or other client-side attacks [1]. The CVSS v3 base score of 6.5 (Medium) reflects the need for user interaction and the potential for significant impact if exploited.

As an immediate mitigation, users should update the plugin to a version newer than 2.4.2 where the issue is patched [1]. Administrators who are unable to update should ask their hosting provider or web developer for assistance. This vulnerability has been noted as being used in mass-exploit campaigns targeting thousands of websites [1].