CVE-2025-58840

Vulnerability

Overview

CVE-2025-58840 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Custom Team Manager, developed by Ibnul H. The issue stems from improper neutralization of user-supplied input during web page generation. Versions from n/a through 2.4.2 are affected, allowing attackers to inject arbitrary HTML-encode or filter input inadequately, leading to persistent script injection [1].

Exploitation

Conditions

Exploitation requires a privileged user role (e.g., administrator or editor) to inject the malicious payload. The attacker must have the ability to submit or save data that is later displayed on the site. Successful exploitation does not require direct interaction from the victim administrator beyond the initial injection; the stored script executes automatically when any visitor loads the affected page [1].

Impact

An attacker can inject arbitrary JavaScript, HTML, or other payloads. This can lead to redirects to malicious sites, defacement, theft of session cookies, or other client-side attacks. Because the XSS is stored, every visitor to the compromised page is affected, making it suitable for mass-exploitable in campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to update the plugin immediately if a fix becomes available. If updating is not possible, consider disabling the plugin or applying a web application firewall rule to block XSS payloads. The vulnerability is listed in the Patchstack database and is considered medium severity (CVSS 6.5) [1].