CVE-2025-58612: 
WordPress vulnerability analysis and mitigation

A Stored Cross-site Scripting (XSS) vulnerability was discovered in PropertyHive WordPress plugin, identified as CVE-2025-58612. The vulnerability affects PropertyHive versions through 2.1.5 and was disclosed on September 3, 2025. This security issue allows attackers to inject malicious scripts into web pages that are then stored and executed when users visit the affected sites (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), with low impacts on confidentiality, integrity, and availability (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site, potentially compromising user data and website integrity (Patchstack).

The vulnerability has been patched in PropertyHive version 2.1.6. Users are advised to update to version 2.1.6 or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).