CVE-2025-58674 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 92.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress

Timeline

PublishedSep 23

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 throug…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:LExploitability: 1.7 | Impact: 3.7

Affected Packages2 packages

▶Debianwordpress/wordpress< 5.7.14+dfsg1-0+deb11u1+3

▶CVEListV5wordpress/wordpress6.8 — 6.8.2+21

🔴Vulnerability Details

OSV

CVE-2025-58674: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS↗2025-09-23

▶

CVEList

WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability↗2025-09-23

▶

GHSA

GHSA-73p8-vhmr-7r6r: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS↗2025-09-23

▶

📋Vendor Advisories

Debian

CVE-2025-58674: wordpress - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti...↗2025

▶