CVE-2025-58985
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce product-tabs-for-woocommerce allows Stored XSS.This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through <= 1.7.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58985
EUVD
EUVD-2025-27399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpfactory additional_custom_product_tabs_for_woocommerce *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress Additional Custom Product Tabs for WooCommerce plugin (versions up to 1.7.3). It allows a malicious user with contributor-level access to inject malicious scripts into the website. These scripts can execute when visitors access the site, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. [1]

Impact Analysis

The vulnerability can impact you by allowing attackers to inject malicious scripts that run in the browsers of your website visitors. This can lead to unwanted redirects, display of malicious advertisements, or other harmful actions that compromise user experience and trust. It may also lead to partial compromise of website integrity and user data through script execution. [1]

Detection Guidance

Detection of this vulnerability involves checking if the WordPress Additional Custom Product Tabs for WooCommerce plugin is installed and running a vulnerable version (up to 1.7.3). You can verify the plugin version via WordPress admin dashboard or by running commands to check the plugin version in the WordPress installation directory. For example, use: `wp plugin list | grep additional-custom-product-tabs` to see the installed version. Additionally, monitoring for unusual script injections or unexpected HTML payloads in product tab content may indicate exploitation attempts. There are no specific commands provided for direct detection of the XSS payload in the resources. [1]

Mitigation Strategies

The immediate recommended step is to update the Additional Custom Product Tabs for WooCommerce plugin to version 1.7.4 or later, where the vulnerability is fixed. As an immediate protective measure before updating, Patchstack offers virtual patching (vPatching) which can auto-mitigate the vulnerability. Users with contributor-level privileges should be cautious as they can inject malicious scripts. Overall, updating the plugin remains the best mitigation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58985. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart