CVE-2025-59556

Vulnerability

Overview

The GoStore theme for WordPress versions before 1.6.4 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code into a web page, which is then reflected back to the user.

Exploitation

Details

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into clicking a malicious link or visiting a crafted page that triggers the reflected XSS [1]. The attack does not require authentication to initiate, but successful exploitation depends on user interaction from a victim with higher privileges.

Impact

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, redirection to malicious sites, or injection of unwanted content such as advertisements [1]. This could compromise the integrity and confidentiality of the affected WordPress site.

Mitigation

The vendor has released version 1.6.4 to fix this vulnerability. Users are strongly advised to update immediately. If unable to update, implementing security rules (e.g., via Patchstack) can provide temporary mitigation [1]. Due to the moderate danger and potential for mass exploitation, prompt action is recommended.