WordPress Plugin Vulnerabilities

Multiple Plugins by eMarket Design <= Various Versions - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

Multiple plugins for WordPress by by eMarket Design are vulnerable to Stored Cross-Site Scripting in various versions due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
employee-spotlight
Fixed in 5.1.1
Plugin icon
youtube-showcase
Fixed in 3.5.1
Plugin icon
request-a-quote
Fixed in 2.5.1
Plugin icon
wp-ticket
Fixed in 6.0.1

References

CVE
CVE-2025-58915
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2da32063-3763-46b5-86ac-91883f9c809b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
d63b3a2a-c0df-4bba-a632-a9b3a8992211

Timeline

Publicly Published
2025-09-23 (about 9 months ago)
Added
2025-09-30 (about 8 months ago)
Last Updated
2025-09-30 (about 8 months ago)

Other

Published
Title
Published
2023-03-21
Title
Open Graphite < 1.6.1 - Reflected Cross-Site Scripting
Published
2023-02-15
Title
JSON Content Importer < 1.3.16 - Admin+ Stored XSS
Published
2025-03-02
Title
Random Image Selector <= 2.4 - Reflected Cross-Site Scripting
Published
2025-12-22
Title
Happy Addons for Elementor < 3.20.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS
Published
2022-01-18
Title
Give < 2.17.3 - Reflected Cross-Site Scripting via Import Tool