CVE-2025-58985: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in WPFactory Additional Custom Product Tabs for WooCommerce plugin affecting versions through 1.7.3. The vulnerability was reported on July 15, 2025, and publicly disclosed on September 9, 2025. The issue has been assigned CVE-2025-58985 and received a CVSS v3.1 score of 6.5 (Medium) (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It requires low privileges (Contributor level or above) and user interaction for successful exploitation. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, and low required privileges (NVD).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The vulnerability has been fixed in version 1.7.4 of the Additional Custom Product Tabs for WooCommerce plugin. Users are advised to update to version 1.7.4 or later to remediate this security issue (Patchstack).