CVE-2025-58240 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the xili-tidy-tags plugin developed by Michel - xiligroup dev. This vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be stored and subsequently executed in the context of users visiting affected web pages. The vulnerability impacts all versions of xili-tidy-tags up to and including version 1.12.06. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network with low attack complexity, requires privileges (PR:L) and user interaction (UI:R), and affects confidentiality, integrity, and availability to a limited extent. The scope is changed (S:C), meaning the vulnerability affects components beyond the vulnerable component itself. Stored XSS vulnerabilities allow attackers to inject malicious JavaScript code that is permanently stored on the target server (e.g., in a database or content repository) and executed when other users access the affected content. This can lead to session hijacking, defacement, unauthorized actions on behalf of users, or distribution of malware. Although no known exploits are currently reported in the wild, the presence of stored XSS in a web-facing plugin used for content tagging and management poses a significant risk, especially if the plugin is used in environments with multiple users or administrators. The lack of available patches at the time of publication further increases exposure.

For European organizations using the xili-tidy-tags plugin, particularly those operating WordPress or similar CMS platforms where this plugin is deployed, the impact includes potential compromise of user accounts, leakage of sensitive information, and unauthorized actions performed under the guise of legitimate users. This can undermine trust, lead to data breaches, and disrupt business operations. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, government) face additional compliance risks and potential penalties if user data confidentiality or integrity is compromised. The stored nature of the XSS means that once injected, malicious scripts can affect multiple users over time, increasing the attack surface. Furthermore, the vulnerability’s ability to affect confidentiality, integrity, and availability, albeit to a limited degree, means that attackers could manipulate content or disrupt services. Given the medium severity and the requirement for some privileges and user interaction, targeted attacks against privileged users or administrators are plausible, which could escalate the impact significantly.

European organizations should immediately audit their use of the xili-tidy-tags plugin and identify all instances and versions deployed. Until an official patch is released, organizations should consider disabling or removing the plugin to eliminate exposure. Implement strict input validation and output encoding on all user-supplied data related to tagging or content management features to prevent malicious script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor logs and user activity for suspicious behavior indicative of XSS exploitation attempts. Educate privileged users and administrators about the risks of interacting with untrusted content and the importance of cautious behavior when clicking links or opening content within the CMS. Once a patch becomes available, prioritize its deployment. Additionally, consider implementing Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the plugin’s endpoints. Regularly review and update security configurations and conduct penetration testing focused on XSS vulnerabilities in the CMS environment.