CVE-2025-58864

Vulnerability

Overview The 金数据 (jinshuju) WordPress plugin, versions through 1.0, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows attackers to inject malicious scripts that are stored on the server and executed when other users access the affected pages [1].

Exploitation

Details Exploitation requires a privileged user to perform an action, such as clicking a malicious link or visiting a crafted page, but the attack can be initiated by a lower-privileged role. This vulnerability is known to be used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation enables an attacker to inject arbitrary HTML and JavaScript payloads, including redirects, advertisements, and other malicious content. These scripts execute in the context of the victim's browser when they visit the compromised site, potentially leading to data theft, session hijacking, or defacement [1].

Mitigation

As an immediate action, users should update the plugin to the latest available version. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. No patched version is specified beyond the affected range [1].