CVE-2025-58858

Vulnerability

Overview

CVE-2025-58858 is a stored cross-site scripting (XSS) vulnerability in the WPBean WPB Image Widget plugin for WordPress, affecting versions n/a through 1.1. The issue stems from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary scripts that are stored on the server and executed when victims view the affected page. [1]

Exploitation

Exploitation requires a user with the appropriate WordPress role (likely contributor or higher) to submit malicious input via the plugin's widget settings. While the vulnerability can be triggered by such a user, successful exploitation also requires an authenticated administrator or editor to perform an action like clicking a specially crafted link or visiting a manipulated page. This chain of user interactions elevates the risk of a stored XSS attack. [1]

Impact

An attacker exploiting this vulnerability can inject malicious HTML and JavaScript payloads, such as redirects, advertisements, or other content that executes in the browsers of site visitors. This could lead to defacement, phishing, or further compromise of user sessions. The advisory notes that vulnerabilities like this are often used in mass-exploit campaigns targeting thousands of WordPress sites. [1]

Mitigation

Users are strongly advised to update the WPB Image Widget plugin to a version higher than 1.1. If an immediate update is not possible, contacting a hosting provider or web developer for assistance is recommended. No workarounds are provided, and the plugin should be considered vulnerable until patched. [1]