The vulnerability CVE-2025-58217 affects the GeroNikolov Instant Breaking News plugin, allowing an attacker to exploit a CSRF weakness to inject stored XSS payloads. This can result in a combined impact on confidentiality, integrity, and availability as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). The issue is present in versions up to 1.0 of the plugin. There is no evidence of known exploits in the wild at this time, and no patch or remediation details have been provided.

Successful exploitation of this vulnerability could allow an attacker to execute stored XSS attacks via CSRF, potentially leading to partial compromise of user data confidentiality, integrity, and availability. The CVSS score of 7.1 reflects a high severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The vulnerability affects the security posture of affected installations by enabling cross-site scripting through unauthorized requests.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or limiting use of the affected plugin to reduce exposure. Implementing standard CSRF protections and input sanitization may help mitigate risk, but these are not confirmed as effective for this specific vulnerability without vendor guidance.