CVE-2025-58212: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-58212) is a Cross-Site Scripting (XSS) vulnerability discovered in the Epeken All Kurir WordPress plugin, affecting versions up to and including 2.0.1. The vulnerability was discovered by Muhammad Yudha - DJ and was publicly disclosed on August 27, 2025. This DOM-Based XSS vulnerability affects the plugin's web page generation functionality (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring Low privileges (PR:L) and User interaction (UI:R). The scope is Changed (S:C), with Low impact on Confidentiality, Integrity, and Availability (C:L/I:L/A:L) (Rapid7).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the injected page, potentially leading to unauthorized data access, session hijacking, or other client-side attacks (Rapid7).

The vulnerability has been patched in version 2.0.2 of the Epeken All Kurir plugin. Users are advised to update to version 2.0.2 or later to remove the vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).