CVE-2025-53458: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in davaxi Goracash plugin through version 1.1. The vulnerability was discovered and reported by Vinit Lakra on July 5, 2025, and was publicly disclosed on September 22, 2025. This security issue affects WordPress installations using the Goracash plugin versions up to and including 1.1 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (CWE-79). It has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit (Patchstack).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

No official fix is currently available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. The recommended mitigation strategy is to remove and replace the Goracash plugin with an alternative solution (Patchstack).