CVE-2025-58671: 
WordPress vulnerability analysis and mitigation

A Stored Cross-site Scripting (XSS) vulnerability was discovered in morganrichards Auction Feed plugin affecting versions through 1.1.3. The vulnerability was disclosed on September 22, 2025, and received the identifier CVE-2025-58671. This security issue allows for improper neutralization of input during web page generation (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability has been classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, AttackerKB).

The vulnerability affects confidentiality, integrity, and availability, all with low impact scores. Due to its changed scope nature, successful exploitation could potentially affect resources beyond the vulnerable component's scope (AttackerKB).

As of the disclosure date, no official fix has been released for this vulnerability. Users of the Auction Feed plugin versions 1.1.3 and below should consider implementing additional security controls or temporarily disabling the plugin until a patch becomes available (Patchstack).