The CiviCRM-WordPress module includes a "Quick Add" widget that can be used to trick another user into executing arbitrary HTML and Javascript.
(This vulnerability is similar to "stored cross-site scripting". However, exploiting it requires the backend privilege access CiviCRM, so it can only be exploited by internal users.)
CiviCRM version 5.58.0 (and earlier), 5.57.3 (and earlier). (This only affects WordPress-based deployments.)
CiviCRM version 5.58.1, 5.57.4 (ESR)
Upgrade to the fixed version of CiviCRM
Andrea Intilangelo (Deloitte), Seamus Lee (CiviCRM/JMA Consulting), and Kevin Cristiano (Tadpole Collective)
security/wordpress#1
