CVE-2025-58837: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Shiful H SS Font Awesome Icon plugin for WordPress, affecting versions through 4.1.3. The vulnerability was disclosed on September 5, 2025, and assigned identifier CVE-2025-58837. This security issue allows authenticated users with Contributor-level access or higher to inject malicious scripts into the website (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The attack requires network access (AV:N), has low attack complexity (AC:L), requires low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C) with low impacts to confidentiality, integrity, and availability (NVD).

If exploited, this vulnerability could allow attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The software is considered abandoned, as it hasn't received updates for over a year, increasing the potential security risk (Patchstack).

As no official fix is available and the software is considered abandoned, the recommended mitigation is to remove and replace the SS Font Awesome Icon plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).