CVE-2025-58674
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2025-09-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-58674
Affected Vendors & Products
Showing 24 associated CPEs
Vendor Product Version / Range
wordpress wordpress 6.8
wordpress wordpress 5.5
wordpress wordpress 5.8
wordpress wordpress 6.8.3
wordpress wordpress 6.3
wordpress wordpress 6.4
wordpress wordpress 5.1
wordpress wordpress 6.0
wordpress wordpress 5.9
wordpress wordpress 4.7
wordpress wordpress 6.1
wordpress wordpress 5.6
wordpress wordpress 5.4
wordpress wordpress 6.2
wordpress wordpress 6.8.2
wordpress wordpress 6.6
wordpress wordpress 6.7
wordpress wordpress 4.8
wordpress wordpress 5.2
wordpress wordpress 5.3
wordpress wordpress 5.0
wordpress wordpress 4.9
wordpress wordpress 6.5
wordpress wordpress 5.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-site Scripting (XSS) issue in Automattic WordPress. It occurs due to improper neutralization of input during web page generation, allowing an attacker with Author or higher user privileges to inject malicious scripts that are stored and executed in the context of other users viewing the affected pages.


How can this vulnerability impact me? :

The vulnerability can allow an attacker with Author or higher privileges to execute malicious scripts in the context of other users, potentially leading to data theft, session hijacking, or other malicious actions. Although it is considered low severity, it can compromise the integrity and confidentiality of user data and site functionality.


What immediate steps should I take to mitigate this vulnerability?

Since this vulnerability requires an attacker to have Author or higher user privileges, immediate mitigation steps include limiting user privileges to only those necessary, monitoring and restricting Author-level access, and applying any forthcoming patches from the WordPress core security team once available. Additionally, implementing web application firewalls and input validation can help reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart