CVE-2025-58873: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the Pushe Web Push Notification WordPress plugin, tracked as CVE-2025-58873. The vulnerability affects versions up to 0.5.0 of the plugin and was discovered by researcher Que Thanh Tuan. The issue was publicly disclosed on September 5, 2025 (Wordfence Intel, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator-level privileges to exploit (NVD, Patchstack).

If exploited, this vulnerability could allow an attacker to inject malicious scripts, including redirects and advertisements, as well as other HTML payloads into the website. These malicious scripts would be executed when visitors access the affected site (Patchstack).

As no official fix is available and the software appears to be abandoned, the recommended mitigation is to remove and replace the Pushe Web Push Notification plugin with an alternative solution. It's important to note that merely deactivating the plugin does not remove the security threat unless a virtual patch is deployed (Patchstack).