CVE-2025-58880

Vulnerability

Overview

The Translate This gTranslate Shortcode plugin for WordPress (versions n/a through ≤1.0) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. The plugin fails to sanitize or escape certain inputs, making it possible for authenticated users with sufficient privileges to inject arbitrary JavaScript code that persists in the database.

Exploitation

Requirements

Exploitation of this vulnerability requires a user with at least contributor-level or higher privileges, as the plugin does not allow unauthenticated input injection. The attacker must be able to add or edit content that will be rendered on the site, typically through shortcode attributes. Successful execution also requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link or previewing a crafted page [1]. This means the attack depends on some form of user interaction to trigger the stored payload.

Impact

If exploited, a stored XSS payload can execute when any visitor loads a page containing the malicious shortcode output. This could allow the attacker to inject scripts that steal session cookies, redirect users to malicious websites, display unwanted advertisements, or deface the site [1]. The CVSS v3.1 base score is 6.5 (Medium), reflecting the need for authenticated access and user interaction but also the potential for significant impact on confidentiality and integrity.

Mitigation

The vendor has not released a patched version; users should immediately disable the plugin or apply any available update. If unable to update, consult a hosting provider or web developer for assistance [1]. As this vulnerability type is commonly used in mass-exploit campaigns, prompt action is recommended.