CVE-2025-58640
BaseFortify
Publication date: 2025-09-03
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | document_engine_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58640 is a Cross Site Scripting (XSS) vulnerability in the WordPress Document Engine Plugin versions up to 1.2. It allows attackers with contributor-level privileges to inject malicious scripts, such as redirects or advertisements, that execute when visitors access the affected website. This vulnerability arises from improper neutralization of input during web page generation, enabling stored XSS attacks. It is classified under OWASP Top 10 category A3: Injection. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute unauthorized scripts on your website, which can compromise website integrity and user experience. Malicious scripts could redirect users, display unwanted advertisements, or perform other harmful actions. Although the severity is considered low (CVSS score 6.5), exploitation can lead to compromised site functionality and potential trust issues with your users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress Document Engine Plugin version is 1.2 or earlier, as these versions are vulnerable. Since the vulnerability allows injection of malicious scripts that execute when visitors access the site, monitoring web traffic for suspicious script payloads or unexpected redirects may help. However, plugin-based scanners are considered unreliable for detecting compromise. Professional incident response and server-side malware scanning are recommended for detection. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WordPress Document Engine Plugin to version 1.3 or later, where the vulnerability is fixed. Alternatively, using Patchstack's virtual patching (vPatching) technology can provide rapid protection even before official patches are applied. Additionally, timely updates and monitoring for exploitation attempts are advised. [1]