CVE-2025-58983

The Include Me plugin for WordPress versions up to and including 1.3.2 suffers from a stored cross-site scripting vulnerability (CVE-2025-58983). The plugin fails to properly sanitize user input during web page generation, enabling attackers to inject arbitrary HTML and JavaScript that is stored on the server and executed when other users visit the affected page [1].

Exploitation requires a privileged user account with at least contributor-level access to save the malicious payload. Successful execution depends on a higher-privileged user (e.g., administrator) performing an action such as clicking a crafted link or visiting a manipulated page. This vector is commonly used in mass-exploit campaigns targeting thousands of websites regardless of traffic size [1].

An attacker can leverage this vulnerability to inject malicious scripts that may redirect visitors, display advertisements, or steal sensitive data. Although the CVSS score (5.9) indicates medium severity, the plugin maintainer has assessed the impact as low and unlikely to be widely exploited. Nevertheless, the vendor has released version 1.3.3 which resolves the issue; users should update immediately. For Patchstack subscribers, auto-updates are available for vulnerable plugins [1].