CVE-2025-58869

The SimaCookie plugin for WordPress (versions up to and including 1.3.2) contains a Cross-Site Request Forgery (CSRF) vulnerability that can lead to Stored Cross-Site Scripting (XSS). The root cause is insufficient CSRF protection, allowing an attacker to forge requests on behalf of an authenticated administrator without their consent [1].

Exploitation requires a privileged user, such as an administrator, to be tricked into clicking a malicious link or visiting a crafted page while authenticated. The attacker can then perform actions like injecting malicious scripts into the plugin's settings, which are stored and executed when other users view the affected pages. No direct authentication is needed for the attacker, but the victim must have elevated privileges [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or further compromise of the WordPress site. This vulnerability is noted as being used in mass-exploit campaigns, targeting thousands of sites regardless of size or popularity [1].

As immediate action, users should update the plugin to a patched version if available. If unable to update, contacting the hosting provider or web developer for assistance is recommended. The Patchstack advisory provides full details and mitigation guidance [1].