CVE-2025-58850

The Showpass WordPress Extension plugin (versions up to and including 4.0.3) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when the page is loaded [1].

Exploiting this vulnerability requires the attacker to have at least contributor-level access to the WordPress site, as they need to submit input that is saved and later displayed to other users. However, no additional user interaction is required for the stored XSS to trigger; the injected script will execute automatically when visitors access the affected page [1].

Successful exploitation could lead to a range of malicious actions, including redirecting visitors to phishing sites, injecting unwanted advertisements, or performing actions on behalf of an authenticated administrator. This can compromise the site's integrity and user trust [1].

The vendor has released version 4.0.4 which fixes the issue. Users are strongly advised to update immediately. For those unable to update, restricting contributor-level access or applying a web application firewall may serve as temporary mitigations [1].