CVE-2025-58874

Vulnerability

Overview CVE-2025-58874 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the WordPress StoryMap plugin, versions 2.1 and earlier. The issue stems from improper neutralization of user-supplied input during web page generation [1], enabling an attacker to inject arbitrary JavaScript into the DOM context.

Exploitation

Details Exploitation requires user interaction, such as clicking a crafted link or visiting a malicious page. Although an authenticated user with certain privileges must initiate the action, the attack can be triggered without direct network access to the target [1]. This vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their traffic or popularity.

Impact

Successful exploitation allows an attacker to execute malicious scripts in the context of the victim's browser. This can lead to unauthorized actions such as redirecting users to phishing sites, injecting advertisements, or stealing sensitive data from the affected WordPress site [1].

Mitigation

As an immediate step, users should update the StoryMap plugin to a patched version (2.1 or above is vulnerable, so any fixed release post-2.1). If updating is not possible, contact your hosting provider or web developer for assistance. This vulnerability does not require CVSS score interpretation specific to WordPress [1].