CVE-2025-58834: 
WordPress vulnerability analysis and mitigation

The WordPress short.io plugin versions up to 2.4.0 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and reported by Peter Thaleikis on June 11, 2025, and was publicly disclosed on September 5, 2025. The issue has been assigned CVE-2025-58834 and affects all versions of the short.io plugin through version 2.4.0 (Patchstack).

The vulnerability is classified as a DOM-Based Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability could allow an authenticated attacker with Contributor-level privileges or higher to inject malicious scripts into the website. When executed, these scripts could potentially lead to unauthorized actions, including redirects, insertion of unwanted advertisements, and execution of other malicious HTML payloads when visitors access the affected site (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Website administrators running affected versions of the short.io plugin should consider implementing additional security controls or temporarily disabling the plugin until a patch becomes available (Patchstack).