CVE-2025-58674
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58674
Affected Vendors & Products
Showing 24 associated CPEs
Vendor Product Version / Range
wordpress wordpress 6.8
wordpress wordpress 5.5
wordpress wordpress 5.8
wordpress wordpress 6.8.3
wordpress wordpress 6.3
wordpress wordpress 6.4
wordpress wordpress 5.1
wordpress wordpress 6.0
wordpress wordpress 5.9
wordpress wordpress 4.7
wordpress wordpress 6.1
wordpress wordpress 5.6
wordpress wordpress 5.4
wordpress wordpress 6.2
wordpress wordpress 6.8.2
wordpress wordpress 6.6
wordpress wordpress 6.7
wordpress wordpress 4.8
wordpress wordpress 5.2
wordpress wordpress 5.3
wordpress wordpress 5.0
wordpress wordpress 4.9
wordpress wordpress 6.5
wordpress wordpress 5.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-site Scripting (XSS) issue in Automattic WordPress. It occurs due to improper neutralization of input during web page generation, allowing an attacker with Author or higher user privileges to inject malicious scripts that are stored and executed in the context of other users viewing the affected pages.

Impact Analysis

The vulnerability can allow an attacker with Author or higher privileges to execute malicious scripts in the context of other users, potentially leading to data theft, session hijacking, or other malicious actions. Although it is considered low severity, it can compromise the integrity and confidentiality of user data and site functionality.

Mitigation Strategies

Since this vulnerability requires an attacker to have Author or higher user privileges, immediate mitigation steps include limiting user privileges to only those necessary, monitoring and restricting Author-level access, and applying any forthcoming patches from the WordPress core security team once available. Additionally, implementing web application firewalls and input validation can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58674. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart