CVE-2025-58985

The vulnerability is a stored cross-site scripting (XSS) issue in the Additional Custom Product Tabs for WooCommerce plugin by WPFactory. The plugin fails to properly neutralize input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code via product tabs. This affects all versions from n/a through 1.7.3 [1].

Exploitation requires a privileged user (e.g., shop manager or admin) to perform an action such as clicking a malicious link or visiting a crafted page. Although the vulnerability can be initiated by a role with required privileges, successful exploitation depends on user interaction. The injected script is stored and executed when other users visit the affected product pages, making it a stored XSS attack vector [1].

Impact includes the execution of malicious scripts like redirects, advertisements, or other HTML payloads on the website. This can lead to data theft, defacement, or further compromise of user sessions. The CVSS score is 6.5 (Medium) [1].

The vulnerability is patched in version 1.7.4. Users are strongly advised to update immediately. If unable to update, seek assistance from a hosting provider or web developer. Patchstack users can enable auto-updates for vulnerable plugins. This vulnerability is part of mass-exploit campaigns, so immediate action is recommended [1].