CVE-2025-58691: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Genesis Club Lite WordPress plugin, identified as CVE-2025-58691. The vulnerability affects all versions of Genesis Club Lite through version 1.17. The issue was discovered by Muhammad Yudha - DJ and was publicly disclosed on September 22, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 Base Score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor or higher level privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor with Contributor-level access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when guests visit the affected site (Patchstack).

No official fix is available for this vulnerability as the software appears to be abandoned. The recommended mitigation is to remove and replace the Genesis Club Lite plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).