CVE-2025-26544
Published: 26 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26544 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Cross-site Scripting (CWE-79), specifically Reflected XSS, in the Max K UTM tags tracking for Contact Form 7 WordPress plugin (cf7-utm-tracking). This issue affects all versions from n/a through 2.1 inclusive. Published on 2025-03-26, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
A remote attacker requires no privileges and can exploit it over the network with low attack complexity, though user interaction is necessary, such as a victim accessing a malicious link or page. Exploitation results in reflected XSS, allowing script execution in the victim's browser context and achieving low impacts on confidentiality, integrity, and availability across the changed scope.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/cf7-utm-tracking/vulnerability/wordpressutm-tags-landing-page-plugin-1-4-csrf-to-stored-xss-vulnerability?_s_id=cve documents the vulnerability and likely includes guidance on patches or mitigations for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary JavaScript execution in the victim's browser context (T1059.007).