CVE-2025-58787: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in themifyme Themify Popup plugin affecting versions through 1.4.4. The vulnerability was disclosed on September 5, 2025, and was assigned CVE-2025-58787. The issue specifically affects the WordPress plugin Themify Popup and requires contributor-level privileges to exploit (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, requires low attack complexity, low privileges, and user interaction (NVD, Patchstack).

The vulnerability allows attackers to inject malicious scripts, which could lead to redirects, unauthorized advertisements, and execution of arbitrary HTML payloads when users visit the affected site. The impact is considered low to moderate due to the required privileges and user interaction (Patchstack).

Users are advised to update to version 1.4.3 or later to remediate this vulnerability. The security issue has been patched in the updated version, and the fix is considered straightforward to implement (Patchstack).