CVE-2025-58964

Vulnerability

Overview

CVE-2025-58964 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress Enzy theme, affecting versions from n/a through 1.6.4. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the response [1].

Exploitation

Details

Exploitation requires user interaction — a privileged user must click a crafted link, visit a malicious page, or submit a specially crafted form. The attacker does not need authentication but relies on tricking an authenticated user (e.g., an administrator) into performing the action. This makes the vulnerability suitable for mass exploitation campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that execute in the context of the victim's browser. This can lead to redirects to attacker-controlled sites, display of unwanted advertisements, or other HTML payloads that compromise the integrity of the site for visitors [1].

Mitigation

The vulnerability is patched in version 1.6.4. Users are strongly advised to update the theme immediately. If updating is not possible, a mitigation rule from Patchstack can block attacks until the update is applied [1].