CVE-2025-58665: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Form Generator for WordPress plugin (versions through 1.5.2). The vulnerability was identified and disclosed on September 22, 2025, tracked as CVE-2025-58665. This security flaw affects the tmontg1 Form Generator for WordPress plugin and allows for Stored XSS attacks (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue. It has received a CVSS v3.1 base score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires high privileges and user interaction to exploit, with network-based attack vector. The weakness is categorized as CWE-79 (NVD, AttackerKB).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The impact is considered low to medium, affecting confidentiality, integrity, and availability, all rated as Low in the CVSS scoring (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. Users are strongly advised to remove and replace the plugin with an alternative solution (Patchstack).