CVE-2025-58265
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stonehenge_creations | events_manager_openstreetmaps | 4.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58265 is a Cross-Site Scripting (XSS) vulnerability in the WordPress Events Manager β OpenStreetMaps Plugin up to version 4.2.1. It allows attackers with contributor-level privileges to inject malicious scripts into web pages generated by the plugin. These scripts can execute when visitors access the affected website, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted advertisements, or other harmful actions affecting your site's visitors. Since the plugin is likely abandoned and no official fix is available, the risk remains unless a virtual patch is applied or the plugin is replaced. This can compromise the security and user trust of your website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross-Site Scripting (XSS) in the WordPress Events Manager β OpenStreetMaps Plugin up to version 4.2.1. Detection involves checking if the vulnerable plugin version is installed and monitoring for suspicious script injections in web pages generated by the plugin. Specific commands are not provided in the resources, but typical detection methods include scanning the website for reflected or stored scripts in input fields related to the plugin and reviewing plugin version information via WordPress CLI commands such as 'wp plugin list' to identify the plugin version. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include urgently replacing the vulnerable Events Manager β OpenStreetMaps plugin with an alternative solution, as no official fix or patched version is available. Applying a virtual patch (vPatch) from Patchstack can help mitigate the issue temporarily. Simply deactivating the plugin does not eliminate the security risk. Therefore, using a virtual patch or replacing the plugin is strongly recommended. [1]