CVE-2025-58790
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | kiwi | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress Kiwi Plugin (versions up to 2.1.8). It allows attackers with contributor-level privileges to inject malicious scripts, such as redirects or advertisements, into web pages generated by the plugin. These scripts execute when visitors access the affected site, potentially compromising user interactions or site integrity. [1]
How can this vulnerability impact me? :
The vulnerability can lead to attackers injecting malicious scripts into your website, which execute when visitors access your site. This can result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads. It poses risks to your site's security and user trust. Since the plugin is abandoned and unpatched, the risk remains unless you replace the plugin or apply a virtual patch. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific detection commands or methods to identify this vulnerability on your network or system. However, since the vulnerability involves stored Cross-Site Scripting (XSS) in the Kiwi WordPress plugin up to version 2.1.8, detection typically involves scanning for the presence of the vulnerable plugin version and monitoring for suspicious script injections in web pages generated by the plugin. No explicit commands or tools are suggested in the provided text.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or replacing the Kiwi plugin, as no official patch or fix is available and the plugin appears abandoned. Simply deactivating the plugin is insufficient unless a virtual patch (vPatch) is applied. Applying a vPatch is recommended as the fastest mitigation method, providing automatic protection even without an official patch. Due to the vulnerability's exploitability with contributor-level privileges and the risk of automated attacks, urgent action to remove or replace the plugin is advised. [1]