Page-list Vulnerability (Medium) – CVE-2025-58030

Page-list Vulnerability (Medium) – CVE-2025-58030

by | Feb 25, 2026 | Plugins

Attack Vectors

CVE-2025-58030 is a Medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the Page-list WordPress plugin (slug: page-list) in versions up to and including 5.8.

The primary attack path requires a user who is already authenticated in WordPress with Contributor-level access or higher. An attacker with that level of access can inject malicious script content into affected plugin inputs, which can then execute when others view the impacted page.

This matters for businesses because Contributor accounts are commonly granted to marketing teams, agencies, and content creators—expanding the risk surface if any account is compromised or misused.

Security Weakness

The issue stems from insufficient input sanitization and output escaping in Page-list <= 5.8. In practical terms, the plugin does not adequately prevent potentially dangerous content from being saved and later displayed as active code in a visitor’s browser.

Because this is a stored XSS condition, the harmful content can persist and trigger repeatedly—affecting multiple viewers over time—until it is removed and the underlying vulnerable version is updated.

Remediation is straightforward: update Page-list to version 5.9 or a newer patched version, and review which users truly need Contributor (or higher) access.

Technical or Business Impacts

If exploited, this vulnerability can enable in-browser script execution in the context of your site. Business impacts may include: compromised staff sessions (leading to further unauthorized actions), unauthorized content changes, brand-damaging on-site popups or redirects, and loss of trust if customers or partners encounter suspicious behavior.

For marketing and compliance stakeholders, Stored XSS can create downstream risk: campaign landing pages could be altered, tracking or forms could be tampered with, and visitors could be routed to fraudulent destinations—potentially increasing complaint volume and jeopardizing regulatory posture depending on the data involved.

Risk is elevated in environments with many editors/contributors (internal teams or external agencies) or where password reuse/phishing increases the likelihood of an account takeover.

Similar Attacks

Stored XSS in content management platforms and plugins is a recurring pattern. Examples include:

CVE-2019-9787 (WordPress core) — Stored XSS
CVE-2021-24145 (Modern Events Calendar Lite) — Authenticated Stored XSS

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers