CVE-2025-58230: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in bdthemes ZoloBlocks WordPress plugin, identified as CVE-2025-58230. The vulnerability affects versions through 2.3.11 and was reported by security researcher Abu Hurayra on July 31, 2025, with public disclosure occurring on September 22, 2025. The vulnerability specifically allows DOM-Based XSS attacks for users with Contributor or higher privileges (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium severity). The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, required low privileges, user interaction, and low impact on confidentiality, integrity, and availability (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site, potentially compromising user security and website integrity (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects versions up to 2.3.11, and users are advised to monitor for updates from the plugin developer (Patchstack).