CVE-2025-58988
BaseFortify
Publication date: 2025-09-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | my_tickets | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58988 is a Cross Site Scripting (XSS) vulnerability in the WordPress My Tickets Plugin versions up to 2.0.22. It allows attackers with at least contributor-level privileges to inject malicious scripts, such as redirects or advertisements, which execute when visitors access the affected website. This occurs due to improper neutralization of input during web page generation, enabling stored XSS attacks. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized script execution on your website, potentially allowing attackers to manipulate site content, redirect users to malicious sites, or display unwanted advertisements. Although the severity is considered low and exploitation requires contributor-level access, if exploited, it could harm your site's integrity and user trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress My Tickets Plugin version is 2.0.22 or earlier, as these versions are vulnerable. Since exploitation requires contributor-level privileges and involves stored XSS, monitoring for unusual script injections or unexpected redirects in the web application logs may help. Additionally, professional incident response and server-side malware scanning are recommended because plugin-based malware scanners may be unreliable. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WordPress My Tickets Plugin to version 2.0.23 or later, where the vulnerability is fixed. Alternatively, using Patchstack's virtual patching (vPatching) technology can auto-mitigate the vulnerability even before official patches are applied. It is also advised to perform professional incident response and server-side malware scanning if a site is suspected to be compromised. [1]