CVE-2025-59590

Vulnerability

Overview

CVE-2025-59590 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Media Library Assistant plugin, versions 3.28 and earlier. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the plugin's output [1].

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or submitting a crafted form. Once triggered, the injected script is stored on the server and executed in the browsers of other users visiting the affected site [1]. The vulnerability is classified as medium severity (CVSS 5.9) and is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

A successful attack could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when guests visit the site. This can lead to defacement, data theft, or further compromise of the WordPress installation [1].

Mitigation

The vulnerability is patched in version 3.29 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].