| Plugin Name | Include Me |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2025-58983 |
| Urgency | Low |
| CVE Publish Date | 2025-09-09 |
| Source URL | CVE-2025-58983 |
Include Me Plugin (<=1.3.2) XSS: What WordPress Site Owners Must Do Right Now
A Cross‑Site Scripting (XSS) vulnerability has been disclosed in the “Include Me” WordPress plugin (versions up to and including 1.3.2; fixed in 1.3.3, see CVE-2025-58983). This advisory explains the technical risk, realistic attack scenarios, who is affected, immediate containment steps, safe remediation, and longer‑term hardening measures. The guidance is practical and aimed at site owners and technical teams.
Executive summary (the tl;dr)
- Vulnerability: Stored Cross‑Site Scripting (XSS) in Include Me plugin ≤ 1.3.2 (CVE-2025-58983).
- Required privilege (reported): Administrator.
- Impact: Stored XSS enabling JavaScript/HTML injection that executes in visitors’ or administrators’ browsers.
- Severity: CVSS around 5.9 (medium), context-dependent; real risk grows if administrative credentials are compromised.
- Fixed in: 1.3.3 — update immediately if the plugin is in use.
- If you cannot update now: restrict admin access, deactivate the plugin if feasible, enforce monitoring and containment.
Why XSS still matters (even if it “only” needs an admin)
An XSS that requires an administrator to submit content may appear low risk, but in practice administrative accounts are common targets. Password reuse, phishing and prior breaches lead to elevated likelihood that an attacker can gain admin privileges. Stored XSS can be used to:
- Deliver phishing pages and steal credentials.
- Create additional admin accounts or modify content persistently.
- Install scripts that load backdoors or persistent connectors to remote infrastructure.
- Inject spam, malicious redirects, or SEO‑poisoning content that harms reputation.
Automated scanners will attempt exploitation quickly after disclosure — so even a seemingly minor exposure can escalate rapidly.
What the vulnerability can do (realistic attack scenarios)
Stored XSS can have many practical consequences; examples include:
- Session theft or token exfiltration (when combined with other weaknesses).
- Silent admin takeover flows: creating users, changing passwords, injecting persistent scripts or backdoors.
- Malvertising, drive‑by redirects, or fake update prompts to deliver malware to visitors.
- Phishing under the site’s own domain for higher credibility.
- Bypassing browser‑reliant controls (stealing CSRF tokens, altering client‑side logic).
Who is affected
- Any WordPress installation running Include Me ≤ 1.3.2 is potentially vulnerable.
- The reported required privilege is Administrator: an attacker with admin access can exploit this to broaden control.
- Sites with multiple operators or third‑party agencies that have admin access are higher risk.
Immediate actions (first 90 minutes)
- Check plugin version
- WP Admin → Plugins to view the installed version.
- Or via command line:
wp plugin get include-me --field=version.
- If on ≤ 1.3.2: Update immediately
Apply the plugin update to 1.3.3 (or later). If your environment permits, prioritise the security update even if you plan later testing in staging.
- If you cannot update right away
- Place the site behind maintenance mode where feasible.
- Restrict wp-admin access by IP allowlist, VPN, or web‑server rules.
- Temporarily deactivate the plugin if it is non‑essential.
- Enable or enforce multi‑factor authentication for all admin accounts and rotate admin passwords.
- Inspect admin‑editable content
Search for recently modified content in plugin settings and pages managed by the plugin. Look for unexpected
