CVE-2025-58858
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget wpb-image-widget allows Stored XSS.This issue affects WPB Image Widget: from n/a through <= 1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58858
EUVD
EUVD-2025-26919
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpbean wpb_image_widget 1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WPB Image Widget WordPress plugin (versions up to 1.1). It allows attackers with at least contributor-level privileges to inject malicious scripts into web pages generated by the plugin. These scripts can execute when visitors access the compromised website, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. [1]

Impact Analysis

If exploited, this vulnerability can lead to malicious scripts running in the browsers of visitors to your website. This can result in unwanted redirects, display of malicious advertisements, or other harmful actions that compromise user experience and security. It may also lead to partial loss of confidentiality, integrity, and availability of the affected website. However, exploitation requires contributor-level access, and the vulnerability is considered low severity with a CVSS score of 6.5. [1]

Detection Guidance

Detection of this vulnerability involves checking if the WPB Image Widget plugin version 1.1 or earlier is installed and looking for signs of stored XSS payloads in the widget inputs. Since exploitation requires contributor-level privileges, monitoring for unusual input or script injections in the widget content is important. No specific commands are provided, but professional incident response and server-side malware scanning are recommended, as plugin-based malware scanners may be unreliable. [1]

Mitigation Strategies

Immediate mitigation steps include applying virtual patching (vPatching) offered by Patchstack, which provides automatic protection even without an official fix. Additionally, restricting contributor-level privileges to trusted users and monitoring for suspicious activity is advised. Since no official patch is available, seeking professional incident response and performing server-side malware scanning if compromise is suspected are recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart