CVE-2025-58646
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in the Mobi2Go WordPress plugin allows attackers to inject malicious scripts into web pages that are then executed when other users view those pages. The vulnerability affects all versions up to 1.0.0 of the Mobi2Go plugin, potentially compromising any WordPress site using this plugin.
💻 Affected Systems
- Mobi2Go WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface websites by injecting persistent malicious content.
Likely Case
Attackers inject malicious JavaScript that steals user session cookies or credentials when users visit compromised pages, leading to account takeover.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching users, preventing execution.
🎯 Exploit Status
Exploitation requires finding and targeting specific input fields that lack proper sanitization. The vulnerability is stored/persistent, making it more dangerous than reflected XSS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.0.0 (check vendor for specific version)
Vendor Advisory: https://patchstack.com/database/wordpress/plugin/mobi2go/vulnerability/wordpress-mobi2go-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Mobi2Go plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin until patch is released.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement proper input validation and output encoding in custom code that interacts with the plugin
🧯 If You Can't Patch
- Disable or remove the Mobi2Go plugin from WordPress
- Implement a Web Application Firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Mobi2Go version 1.0.0 or earlierCheck Version:
wp plugin list --name=mobi2go --field=versionVerify Fix Applied:
Verify plugin version is updated beyond 1.0.0 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints
- JavaScript injection patterns in request logs
- Multiple failed XSS attempts
Network Indicators:
- Malicious script payloads in HTTP requests
- Suspicious outbound connections after page loads
SIEM Query:
source="wordpress.log" AND ("mobi2go" OR "XSS" OR "script") AND status=200