The vulnerability CVE-2025-59587 affects PenciDesign's Penci Shortcodes & Performance plugin versions before 6.1. It is a DOM-based Cross-site Scripting (XSS) issue caused by improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality, integrity, and availability partially. No patch or official fix details are currently available, and no known exploits have been reported.

Successful exploitation of this vulnerability could allow an attacker with low privileges to execute arbitrary scripts in the context of the affected web application, potentially leading to partial disclosure of information, modification of data, or disruption of service. The impact is limited by the requirement for user interaction and the need for some privileges on the system.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting user input that interacts with the plugin and applying web application firewall (WAF) rules to detect and block potential XSS payloads. Monitor vendor channels for updates and apply patches promptly once available.