CVE-2025-26546
Published: 26 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26546 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Pixelpro Cookies Pro (cookies-pro) WordPress plugin. This issue affects all versions from n/a through 1.0 inclusive. The vulnerability was published on 2025-03-26 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as visiting a malicious site or clicking a crafted link. Exploitation changes the security scope (S:C), potentially allowing limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as script execution in the victim's browser context to steal session data or perform actions on their behalf.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cookies-pro/vulnerability/wordpress-cookies-pro-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including recommended mitigations such as updating the plugin beyond version 1.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of web applications (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).