CVE-2025-15058 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Responsive Pricing Table plugin for WordPress, developed by spwebguy. This vulnerability exists in all versions up to and including 5.1.12 due to insufficient input sanitization and output escaping of the 'table_currency' parameter. Stored XSS occurs when malicious scripts are permanently stored on the target server, in this case within the plugin's data fields, and executed in the context of users visiting the affected pages. An authenticated attacker with at least Contributor-level privileges can exploit this flaw by injecting arbitrary JavaScript code into the 'table_currency' parameter. When other users access the page containing the injected script, the malicious code executes in their browsers, potentially compromising session tokens, redirecting users, or performing actions on their behalf. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and scope change. Although no public exploits are currently known, the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors or where Contributor-level access is granted to untrusted users. The lack of patches at the time of publication necessitates immediate attention to mitigate potential exploitation.

The primary impact of CVE-2025-15058 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, theft of sensitive information, defacement, or unauthorized actions performed with victim privileges. Since the vulnerability is stored XSS, the malicious payload persists and affects all users visiting the compromised page, increasing the attack surface. Organizations relying on the Responsive Pricing Table plugin for pricing display on public or internal websites face reputational damage, data breaches, and potential regulatory consequences if user data is exposed. The requirement for Contributor-level access limits exploitation to insiders or compromised accounts, but this is a common privilege level in collaborative environments, making the threat realistic. The medium CVSS score reflects moderate risk, but the scope change indicates that the vulnerability can affect components beyond the initial attack vector, amplifying potential damage.

To mitigate CVE-2025-15058, organizations should first check for and apply any available patches or updates from the plugin vendor once released. In the absence of official patches, administrators should restrict Contributor-level access to trusted users only and audit existing user permissions to minimize risk. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns targeting the 'table_currency' parameter can provide temporary protection. Additionally, site administrators can sanitize and validate all inputs related to pricing tables manually or via custom code hooks to ensure no scripts are stored. Regular security scanning and monitoring of WordPress sites for unusual script injections or changes in pricing table content are recommended. Educating contributors about safe input practices and monitoring logs for suspicious activities can further reduce exploitation chances. Finally, consider disabling or replacing the plugin with a more secure alternative if immediate patching is not feasible.