CVE-2025-58992: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Product Catalog Simple plugin, identified as CVE-2025-58992. The vulnerability affects versions up to and including 1.8.2, and was disclosed on September 22, 2025. The security issue was initially reported by Muhammad Yudha - DJ on September 11, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (Rapid7, Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. This could enable attackers to inject malicious scripts, redirects, advertisements, and other HTML payloads that execute when guests visit the affected site (Rapid7, Patchstack).

The vulnerability has been fixed in version 1.8.3 of the Product Catalog Simple plugin. Users are advised to update to version 1.8.3 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).