CVE-2025-59587

Vulnerability

Details

The Penci Shortcodes & Performance plugin for WordPress contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw affects all versions from n/a through 6.0, allowing attackers to inject malicious scripts into web pages.

Exploitation

Exploitation requires user interaction, such as a privileged user clicking a crafted link, visiting a specially crafted page, or submitting a malicious form [1]. The attack can be initiated by a low-privileged user but relies on a higher-privileged user to perform the action.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to redirects, injected advertisements, theft of session cookies, or other HTML payloads when visitors access the site [1].

Mitigation

The vulnerability has been patched in version 6.1. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins [1]. While the severity is rated medium (CVSS 6.5), this type of vulnerability is known to be used in mass-exploit campaigns.