CVE-2025-58870

Vulnerability

Overview

The WP-GraphViz plugin for WordPress, versions up to and including 1.5.1, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Details

Exploitation requires user interaction, such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. The attacker does not need elevated privileges to initiate the attack, but the victim must be a privileged user (e.g., administrator) for the script to execute in their session [1]. The vulnerability is classified as DOM-Based, meaning the payload is processed client-side without server-side sanitization.

Impact

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute when visitors access the compromised site, potentially leading to session hijacking, defacement, or phishing attacks [1]. The vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites.

Mitigation

The vendor has released a fix; users should update the WP-GraphViz plugin to version 1.5.2 or later. If immediate update is not possible, administrators should restrict access to the plugin's functionality or consult their hosting provider for temporary workarounds [1].