CVE-2025-58638: 
WordPress vulnerability analysis and mitigation

The Institutions Directory plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-58638) discovered in versions up to and including 1.3.3. The vulnerability was publicly disclosed on August 30, 2025, and was identified by security researcher João Pedro S Alcântara (Kinorth) (Wordfence Intel).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue due to insufficient input sanitization and output escaping in the plugin. It has received a CVSS score of 6.1 (Medium) with a vector string of (AV:N/AC:M/Au:N/C:P/I:P/A:N). The vulnerability falls under the OWASP Top 10 category A3: Injection (Patchstack Database, Rapid7).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. This could enable attackers to inject malicious scripts, redirects, advertisements, and other HTML payloads that execute when visitors access the affected site (Patchstack Database).

The vulnerability has been patched in version 1.3.4 of the Institutions Directory plugin. Site administrators are advised to update to this version or later immediately. For sites unable to update immediately, Patchstack has issued a mitigation rule to block potential attacks until the update can be applied (Patchstack Database).