CVE-2025-58875

Vulnerability

Overview

The WP Github Gist plugin for WordPress, versions 0.5 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This means that input provided by users is not properly sanitized before being stored and later displayed to other users, allowing arbitrary script injection.

Exploitation

Details

To exploit this vulnerability, an attacker must have a privileged role (e.g., author or editor) that can submit content processed by the plugin. Successful exploitation requires a privileged user to perform an action such as clicking a link or submitting a form [1]. The attack does not require any authenticated user with stored XSS, the injected script will execute for any visitor viewing the affected page.

Impact

An attacker can inject malicious scripts that may redirect visitors to malicious sites, display unwanted advertisements, or steal session cookies and other sensitive data [1]. This can lead to defacement, phishing attacks, or further compromise of the WordPress site.

Mitigation

The vendor has not released a patched version; users should immediately update the plugin to the latest available version or remove it if no update is available [1]. As this vulnerability is known to be used in mass-exploit campaigns, prompt action is recommended.