CVE-2025-58851

Vulnerability

Overview

The Boxed Content plugin for WordPress, up to and including version 1.0, contains a Stored Cross-Site Scripting (XSS (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors [1].

Exploitation

Details

To exploit this vulnerability, an attacker must have a privileged role (e.g., Editor or Administrator) that can submit or save content via the plugin. The attack requires user interaction, such as clicking a malicious link or visiting a crafted page, but once triggered, the injected script persists and executes automatically for any subsequent visitor [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the affected website. These scripts execute when guests visit the site, potentially leading to data theft, defacement, or further compromise [1].

Mitigation

The vendor has not released a patched version; the plugin is end-of-life. Immediate action is to update the plugin if a fix becomes available, or remove it. If unable to do so, consult a hosting provider or web developer for assistance [1].