CVE-2025-58674

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.

Affected Software

VendorProductVersion RangeStatus
WordPressWordPress6.8 <= 6.8.2affected
WordPressWordPress6.7 <= 6.7.3affected
WordPressWordPress6.6 <= 6.6.3affected
WordPressWordPress6.5 <= 6.5.6affected
WordPressWordPress6.4 <= 6.4.6affected
WordPressWordPress6.3 <= 6.3.6affected
WordPressWordPress6.2 <= 6.2.7affected
WordPressWordPress6.1 <= 6.1.8affected
WordPressWordPress6.0 <= 6.0.10affected
WordPressWordPress5.9 <= 5.9.11affected
WordPressWordPress5.8 <= 5.8.11affected
WordPressWordPress5.7 <= 5.7.13affected
WordPressWordPress5.6 <= 5.6.15affected
WordPressWordPress5.5 <= 5.5.16affected
WordPressWordPress5.4 <= 5.4.17affected
WordPressWordPress5.3 <= 5.3.19affected
WordPressWordPress5.2 <= 5.2.22affected
WordPressWordPress5.1 <= 5.1.20affected
WordPressWordPress5.0 <= 5.0.23affected
WordPressWordPress4.9 <= 4.9.27affected
WordPressWordPress4.8 <= 4.8.26affected
WordPressWordPress4.7 <= 4.7.30affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References