CVE-2025-58992

Vulnerability

Overview

The Product Catalog Simple plugin for WordPress (post-type-x) versions up to and including 1.8.2 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an authenticated attacker with sufficient privileges to inject arbitrary JavaScript or HTML payloads that are stored on the server and later executed in the browsers of visitors.

Exploitation

Details

Exploitation requires a privileged user role to perform an action such as clicking a malicious link or submitting a crafted form [1]. The attack does not require high traffic or critical privileges but does depend on user interaction from a privileged account. Once the malicious script is stored, it will execute automatically when any guest visits the affected page, enabling the attacker to perform actions within the security context of the victim's session.

Impact

Impact

A successful attack could allow the attacker to inject malicious scripts that redirect visitors to attacker-controlled sites, display unwanted advertisements, or deliver other HTML payloads [1]. This can lead to defacement, phishing, or further compromise of the site's visitors. The vulnerability is considered medium severity (CVSS 6.5) and has been observed in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has released version 1.8.3 which resolves the vulnerability [1]. Users are strongly advised to update immediately. If updating is not possible, users should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins to stay protected [1].