CVE-2025-58240: 
WordPress vulnerability analysis and mitigation

CVE-2025-58240 is a Cross-site Scripting (XSS) vulnerability discovered in the WordPress xili-tidy-tags plugin affecting versions through 1.12.06. The vulnerability was reported on August 1, 2025, and publicly disclosed on September 22, 2025. The affected software is Michel - xiligroup dev xili-tidy-tags plugin, which allows for Stored XSS attacks (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.5 (Medium). The attack vector is characterized as Network (N), with Low attack complexity (AC), requiring Low privileges (PR), and User interaction (UI). The scope is Changed (C), with Low impact on confidentiality (C), integrity (I), and availability (A) (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The attack requires contributor-level privileges to exploit (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects versions through 1.12.06, and no patched version has been released (Patchstack).