CVE-2025-58625: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-58625) is a Stored Cross-Site Scripting (XSS) vulnerability affecting Spiffy Plugins WP Flow Plus WordPress plugin versions up to and including 5.2.5. The vulnerability was discovered by Muhammad Yudha - DJ and was publicly disclosed on September 3, 2025 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 5.9 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring High privileges (PR:H) and User interaction (UI:R). The scope is Changed (S:C) with Low impact on Confidentiality, Integrity, and Availability (NVD).

The vulnerability allows authenticated attackers with author-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the injected page, potentially leading to unauthorized actions, data theft, or site defacement (Rapid7).

The vulnerability has been fixed in version 5.2.6 of the WP Flow Plus plugin. Users are advised to update to version 5.2.6 or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).