CVE-2025-23626

CVE-2025-23626 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS), affecting the Kumihimo WordPress plugin developed by fukushima. This issue impacts all versions of the plugin up to and including 1.0.2, as the vulnerable range is listed from n/a through <= 1.0.2. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts on confidentiality, integrity, and availability.

A remote attacker without privileges can exploit this vulnerability by crafting a malicious URL that injects scripted content into a web page generated by the Kumihimo plugin. This requires a user, such as a site visitor or authenticated WordPress user, to interact by visiting the link, at which point the reflected payload executes in the victim's browser context. Successful exploitation could allow the attacker to steal session cookies, perform actions on behalf of the user, or access sensitive data within the site's scope, leveraging the changed scope (S:C) for potential cross-origin effects.

Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/kumihimo/vulnerability/wordpress-kumihimo-plugin-1-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which documents the vulnerability in the WordPress Kumihimo plugin version 1.0.2. Security practitioners should update to a patched version if available or apply input sanitization workarounds pending vendor fixes.