CVE-2025-58982

Vulnerability

Overview

Improper neutralization of input during web page generation in Pixeline's Email Protector plugin for WordPress (versions up to and including 1.3.8) leads to a stored cross-site scripting (XSS) vulnerability [1]. This means that an attacker can inject arbitrary HTML or JavaScript code that gets stored on the server and executed when other users view the affected page.

Exploitation

Exploitation requires a privileged user (such as an administrator) to perform an action like clicking a malicious link or submitting a crafted form [1]. Once triggered, the injected script executes in the context of the victim's browser, potentially affecting site visitors or other administrators.

Impact

Successful exploitation allows an attacker to perform actions such as redirecting users to malicious sites, displaying advertisements, or stealing session cookies, thereby compromising the integrity and security of the WordPress site [1].

Mitigation

The vulnerability has been addressed in version 1.4.0 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended [1].