CVE-2025-58985
BaseFortify
Publication date: 2025-09-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpfactory | additional_custom_product_tabs_for_woocommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress Additional Custom Product Tabs for WooCommerce plugin (versions up to 1.7.3). It allows a malicious user with contributor-level access to inject malicious scripts into the website. These scripts can execute when visitors access the site, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to inject malicious scripts that run in the browsers of your website visitors. This can lead to unwanted redirects, display of malicious advertisements, or other harmful actions that compromise user experience and trust. It may also lead to partial compromise of website integrity and user data through script execution. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress Additional Custom Product Tabs for WooCommerce plugin is installed and running a vulnerable version (up to 1.7.3). You can verify the plugin version via WordPress admin dashboard or by running commands to check the plugin version in the WordPress installation directory. For example, use: `wp plugin list | grep additional-custom-product-tabs` to see the installed version. Additionally, monitoring for unusual script injections or unexpected HTML payloads in product tab content may indicate exploitation attempts. There are no specific commands provided for direct detection of the XSS payload in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step is to update the Additional Custom Product Tabs for WooCommerce plugin to version 1.7.4 or later, where the vulnerability is fixed. As an immediate protective measure before updating, Patchstack offers virtual patching (vPatching) which can auto-mitigate the vulnerability. Users with contributor-level privileges should be cautious as they can inject malicious scripts. Overall, updating the plugin remains the best mitigation. [1]