CVE-2025-58974

Vulnerability

Overview

CVE-2025-58974 is a Stored Cross-Site Scripting (XSS) vulnerability in the WPComplete plugin for WordPress, affecting versions from n/a through 2.9.5.2. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker with sufficient privileges to inject arbitrary HTML and JavaScript into the application code that persists on the server [1].

Exploitation

Prerequisites

Exploitation requires an authenticated user with at least the role specified in the plugin's configuration (typically a contributor or higher) to submit crafted input that is not sanitized. The vulnerability is triggered when a privileged user performs an action such as clicking a malicious link or visiting a specially crafted page, but the injected payload then executes automatically for any visitor viewing the affected content [1].

Impact

A successful attack enables the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute in the browsers of site visitors. This can lead to session hijacking, defacement, or phishing attacks against users of the WordPress site [1].

Mitigation

The vendor has released version 2.9.5.3 which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].