CVE-2025-58965

Vulnerability

Overview

The Fusion Page Builder : Extension – Gallery plugin for WordPress (versions up to and including 1.7.6) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with sufficient privileges to inject arbitrary JavaScript or HTML payloads that are stored on the server and executed when other users visit the affected page.

Exploitation

Details

Exploitation requires a privileged user role (such as an editor or administrator) to submit crafted input through the plugin's gallery functionality. The injected script persists in the database and triggers automatically when any visitor loads the compromised page, without requiring additional user interaction from the victim [1]. This type of vulnerability is commonly targeted vulnerability is frequently used in mass-exploit campaigns against WordPress sites.

Impact

A successful attack allows the malicious actor to execute arbitrary scripts in the context of the victim's browser session. Potential actions include redirecting visitors to malicious sites, injecting unwanted advertisements, stealing session cookies, or defacing the website [1]. The CVSS v3 base score of 6.5 (Medium) reflects the need for authenticated access but the broad impact on site visitors.

Mitigation

The vendor has released version 1.7.7 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates for vulnerable plugins or consulting a hosting provider is recommended [1].