{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-58674", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-09-03T09:03:46.831Z", "datePublished": "2025-09-23T18:47:02.628Z", "dateUpdated": "2025-10-01T08:35:39.048Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WordPress", "repo": "https://github.com/WordPress/WordPress", "vendor": "WordPress", "versions": [{"changes": [{"at": "6.8.3", "status": "unaffected"}], "lessThanOrEqual": "6.8.2", "status": "affected", "version": "6.8", "versionType": "custom"}, {"changes": [{"at": "6.7.4", "status": "unaffected"}], "lessThanOrEqual": "6.7.3", "status": "affected", "version": "6.7", "versionType": "custom"}, {"changes": [{"at": "6.6.4", "status": "unaffected"}], "lessThanOrEqual": "6.6.3", "status": "affected", "version": "6.6", "versionType": "custom"}, {"changes": [{"at": "6.5.7", "status": "unaffected"}], "lessThanOrEqual": "6.5.6", "status": "affected", "version": "6.5", "versionType": "custom"}, {"changes": [{"at": "6.4.7", "status": "unaffected"}], "lessThanOrEqual": "6.4.6", "status": "affected", "version": "6.4", "versionType": "custom"}, {"changes": [{"at": "6.3.7", "status": "unaffected"}], "lessThanOrEqual": "6.3.6", "status": "affected", "version": "6.3", "versionType": "custom"}, {"changes": [{"at": "6.2.8", "status": "unaffected"}], "lessThanOrEqual": "6.2.7", "status": "affected", "version": "6.2", "versionType": "custom"}, {"changes": [{"at": "6.1.9", "status": "unaffected"}], "lessThanOrEqual": "6.1.8", "status": "affected", "version": "6.1", "versionType": "custom"}, {"changes": [{"at": "6.0.11", "status": "unaffected"}], "lessThanOrEqual": "6.0.10", "status": "affected", "version": "6.0", "versionType": "custom"}, {"changes": [{"at": "5.9.12", "status": "unaffected"}], "lessThanOrEqual": "5.9.11", "status": "affected", "version": "5.9", "versionType": "custom"}, {"changes": [{"at": "5.8.12", "status": "unaffected"}], "lessThanOrEqual": "5.8.11", "status": "affected", "version": "5.8", "versionType": "custom"}, {"changes": [{"at": "5.7.14", "status": "unaffected"}], "lessThanOrEqual": "5.7.13", "status": "affected", "version": "5.7", "versionType": "custom"}, {"changes": [{"at": "5.6.16", "status": "unaffected"}], "lessThanOrEqual": "5.6.15", "status": "affected", "version": "5.6", "versionType": "custom"}, {"changes": [{"at": "5.5.17", "status": "unaffected"}], "lessThanOrEqual": "5.5.16", "status": "affected", "version": "5.5", "versionType": "custom"}, {"changes": [{"at": "5.4.18", "status": "unaffected"}], "lessThanOrEqual": "5.4.17", "status": "affected", "version": "5.4", "versionType": "custom"}, {"changes": [{"at": "5.3.20", "status": "unaffected"}], "lessThanOrEqual": "5.3.19", "status": "affected", "version": "5.3", "versionType": "custom"}, {"changes": [{"at": "5.2.23", "status": "unaffected"}], "lessThanOrEqual": "5.2.22", "status": "affected", "version": "5.2", "versionType": "custom"}, {"changes": [{"at": "5.1.21", "status": "unaffected"}], "lessThanOrEqual": "5.1.20", "status": "affected", "version": "5.1", "versionType": "custom"}, {"changes": [{"at": "5.0.24", "status": "unaffected"}], "lessThanOrEqual": "5.0.23", "status": "affected", "version": "5.0", "versionType": "custom"}, {"changes": [{"at": "4.9.28", "status": "unaffected"}], "lessThanOrEqual": "4.9.27", "status": "affected", "version": "4.9", "versionType": "custom"}, {"changes": [{"at": "4.8.27", "status": "unaffected"}], "lessThanOrEqual": "4.8.26", "status": "affected", "version": "4.8", "versionType": "custom"}, {"changes": [{"at": "4.7.31", "status": "unaffected"}], "lessThanOrEqual": "4.7.30", "status": "affected", "version": "4.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "savphill (Patchstack Bug Bounty Program)"}, {"lang": "en", "type": "coordinator", "value": "John Blackbourn (WordPress core security team lead)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(252, 252, 252);\">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.</span><p>This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-10-01T08:35:39.048Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}, {"tags": ["release-notes"], "url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."}], "value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."}], "source": {"discovery": "EXTERNAL"}, "tags": ["x_open-source"], "title": "WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-23T19:15:09.886956Z", "id": "CVE-2025-58674", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-23T19:17:35.099Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-58674", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-23T19:15:09.886956Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-23T19:15:12.007Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "savphill (Patchstack Bug Bounty Program)"}, {"lang": "en", "type": "coordinator", "value": "John Blackbourn (WordPress core security team lead)"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/WordPress/WordPress", "vendor": "WordPress", "product": "WordPress", "versions": [{"status": "affected", "changes": [{"at": "6.8.3", "status": "unaffected"}], "version": "6.8", "versionType": "custom", "lessThanOrEqual": "6.8.2"}, {"status": "affected", "changes": [{"at": "6.7.4", "status": "unaffected"}], "version": "6.7", "versionType": "custom", "lessThanOrEqual": "6.7.3"}, {"status": "affected", "changes": [{"at": "6.6.4", "status": "unaffected"}], "version": "6.6", "versionType": "custom", "lessThanOrEqual": "6.6.3"}, {"status": "affected", "changes": [{"at": "6.5.7", "status": "unaffected"}], "version": "6.5", "versionType": "custom", "lessThanOrEqual": "6.5.6"}, {"status": "affected", "changes": [{"at": "6.4.7", "status": "unaffected"}], "version": "6.4", "versionType": "custom", "lessThanOrEqual": "6.4.6"}, {"status": "affected", "changes": [{"at": "6.3.7", "status": "unaffected"}], "version": "6.3", "versionType": "custom", "lessThanOrEqual": "6.3.6"}, {"status": "affected", "changes": [{"at": "6.2.8", "status": "unaffected"}], "version": "6.2", "versionType": "custom", "lessThanOrEqual": "6.2.7"}, {"status": "affected", "changes": [{"at": "6.1.9", "status": "unaffected"}], "version": "6.1", "versionType": "custom", "lessThanOrEqual": "6.1.8"}, {"status": "affected", "changes": [{"at": "6.0.11", "status": "unaffected"}], "version": "6.0", "versionType": "custom", "lessThanOrEqual": "6.0.10"}, {"status": "affected", "changes": [{"at": "5.9.12", "status": "unaffected"}], "version": "5.9", "versionType": "custom", "lessThanOrEqual": "5.9.11"}, {"status": "affected", "changes": [{"at": "5.8.12", "status": "unaffected"}], "version": "5.8", "versionType": "custom", "lessThanOrEqual": "5.8.11"}, {"status": "affected", "changes": [{"at": "5.7.14", "status": "unaffected"}], "version": "5.7", "versionType": "custom", "lessThanOrEqual": "5.7.13"}, {"status": "affected", "changes": [{"at": "5.6.16", "status": "unaffected"}], "version": "5.6", "versionType": "custom", "lessThanOrEqual": "5.6.15"}, {"status": "affected", "changes": [{"at": "5.5.17", "status": "unaffected"}], "version": "5.5", "versionType": "custom", "lessThanOrEqual": "5.5.16"}, {"status": "affected", "changes": [{"at": "5.4.18", "status": "unaffected"}], "version": "5.4", "versionType": "custom", "lessThanOrEqual": "5.4.17"}, {"status": "affected", "changes": [{"at": "5.3.20", "status": "unaffected"}], "version": "5.3", "versionType": "custom", "lessThanOrEqual": "5.3.19"}, {"status": "affected", "changes": [{"at": "5.2.23", "status": "unaffected"}], "version": "5.2", "versionType": "custom", "lessThanOrEqual": "5.2.22"}, {"status": "affected", "changes": [{"at": "5.1.21", "status": "unaffected"}], "version": "5.1", "versionType": "custom", "lessThanOrEqual": "5.1.20"}, {"status": "affected", "changes": [{"at": "5.0.24", "status": "unaffected"}], "version": "5.0", "versionType": "custom", "lessThanOrEqual": "5.0.23"}, {"status": "affected", "changes": [{"at": "4.9.28", "status": "unaffected"}], "version": "4.9", "versionType": "custom", "lessThanOrEqual": "4.9.27"}, {"status": "affected", "changes": [{"at": "4.8.27", "status": "unaffected"}], "version": "4.8", "versionType": "custom", "lessThanOrEqual": "4.8.26"}, {"status": "affected", "changes": [{"at": "4.7.31", "status": "unaffected"}], "version": "4.7", "versionType": "custom", "lessThanOrEqual": "4.7.30"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31.", "supportingMedia": [{"type": "text/html", "value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31.", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}, {"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(252, 252, 252);\">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.</span><p>This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-10-01T08:35:39.048Z"}}}, "cveMetadata": {"cveId": "CVE-2025-58674", "state": "PUBLISHED", "dateUpdated": "2025-10-01T08:35:39.048Z", "dateReserved": "2025-09-03T09:03:46.831Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-09-23T18:47:02.628Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."}], "id": "CVE-2025-58674", "lastModified": "2025-10-01T09:15:37.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-09-23T19:15:41.603", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}, {"source": "audit@patchstack.com", "url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"created": "2025-09-25T08:22:15.964500+00:00", "updated": "2025-09-25T08:22:15.964568+00:00", "vendors": ["automattic", "automattic$PRODUCT$wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}