CVE-2025-58974: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress WPComplete plugin, identified as CVE-2025-58974. The vulnerability affects versions up to and including 2.9.5.2 of the WPComplete plugin. The issue was initially reported by Muhammad Yudha - DJ on September 13, 2025, and was publicly disclosed on September 22, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (Rapid7).

This vulnerability could allow malicious actors to inject arbitrary web scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would execute whenever users access the affected pages. The impact is considered medium severity due to the requirement of authenticated access (Patchstack).

The vulnerability has been patched in version 2.9.5.3 of the WPComplete plugin. Users are advised to update to version 2.9.5.3 or later to remove the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).