CVE-2025-58880: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in the Translate This gTranslate Shortcode WordPress plugin, identified as CVE-2025-58880. The vulnerability affects all versions through 1.0 of the plugin and was disclosed on September 5, 2025. The security researcher Mika initially reported this issue on June 27, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) that allows for Stored XSS attacks. It received a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires contributor-level privileges to exploit (NVD, Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects and advertisements, as well as other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As of the disclosure date, no official fix has been made available for this vulnerability. Given the low severity impact, the risk is considered minimal, but website administrators should monitor for updates and implement general security best practices (Patchstack).