CVE-2025-58593: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Themeisle Orbit Fox by ThemeIsle plugin versions through 3.0.0. The vulnerability was disclosed on September 3, 2025 and assigned identifier CVE-2025-58593 (NVD, Patchstack).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It received a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates the vulnerability requires low privileges and user interaction to exploit, has network attack vector, and can impact confidentiality, integrity and availability (Patchstack).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts into the website. These scripts could be used to redirect users, inject unwanted advertisements, or execute other malicious HTML payloads that would be executed when visitors access the affected site (Patchstack).

Users are advised to update to version 3.0.1 or later to remediate this vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).