CVE-2025-58030: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Page-list plugin, identified as CVE-2025-58030. The vulnerability affects Page-list versions through 5.7 and was disclosed on September 22, 2025. The security issue was discovered by researcher zaim and allows authenticated users with Contributor-level access or higher to perform stored XSS attacks (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium). The attack vector is characterized as Network (N) with Low attack complexity (AC), requiring Low privileges (PR), and User Interaction (UI). The scope is Changed (C) with Low confidentiality, integrity, and availability impacts (NVD).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

Website administrators are advised to update to Page-list version 5.9 or later to remediate this vulnerability. The fix was released shortly after the vulnerability disclosure (Patchstack).