CVE-2025-58814
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | stagtools | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress Stagtools Plugin up to version 2.3.8. It allows attackers with contributor-level privileges to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto web pages generated by the plugin. These scripts execute when visitors access the affected site, potentially compromising user interactions and site integrity. [1]
How can this vulnerability impact me? :
The vulnerability can lead to attackers injecting malicious scripts that execute in the browsers of site visitors. This can result in unauthorized redirects, display of unwanted advertisements, theft of user data, session hijacking, or other malicious activities. Since the plugin is abandoned with no official patch, the risk remains unless mitigated by removing the plugin or applying virtual patching. Deactivating the plugin alone does not fully eliminate the risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning for the presence of the vulnerable Stagtools plugin version 2.3.8 or earlier on your WordPress site. Since the vulnerability involves stored XSS, monitoring for unusual script injections or unexpected HTML payloads in plugin-generated pages may help. However, plugin-based malware scanners may be unreliable for this vulnerability. No specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the Stagtools plugin with an alternative solution, as no official patch or fixed version is available. Deactivating the plugin alone is insufficient unless a virtual patch (vPatch) is applied. Patchstack offers virtual patching that auto-applies security rules to protect websites from exploitation. Users should also consider professional incident response if their sites have been compromised. [1]