CVE-2025-58836

Vulnerability

Overview The FW Anker WordPress plugin (fw-anker) is affected by a Stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2025-58836. This issue arises from improper neutralization of user-supplied input during web page generation [1]. The vulnerability affects all versions from n/a through 1.2.6 [1].

Exploitation

Context Exploitation requires a privileged user role, such as an administrator or editor capable of inserting or modifying plugin content. While user interaction is needed (e.g., clicking a link or submitting a form), the injected script will persist in the application, triggering whenever other users or visitors access the affected page [1].

Impact

A successful attack allows a malicious actor to inject arbitrary JavaScript, HTML, or other payloads. These payloads can redirect visitors to malicious sites, display unwanted advertisements, or steal session cookies, leading to further compromise [1]. Because the XSS is stored, every subsequent page load executes the injected payload against all site visitors.

Mitigation

As of the published date (2025-09-05), no patched version has been released. Users are strongly advised to update the plugin immediately once a fix becomes available. If updating is not possible, consulting with a hosting provider or web developer for temporary workarounds is recommended [1].