CVE-2025-26554
Published: 15 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26554 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Discord Post plugin developed by Nicola Mustone for WordPress. The issue affects the plugin from unspecified initial versions through version 2.1.0 inclusive. Published on 2025-03-15, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this vulnerability remotely without authentication or privileges by crafting malicious input that reflects unsanitized on a web page, requiring user interaction such as clicking a phishing link or visiting a malicious site. Exploitation occurs in the victim's browser context, enabling limited impacts on confidentiality (e.g., stealing session cookies), integrity (e.g., modifying page content), and availability, with the changed scope potentially allowing actions across security boundaries on the same site.
Patchstack has documented this reflected XSS vulnerability specifically in WP Discord Post plugin version 2.1.0, providing details for security practitioners to assess and address exposure in affected WordPress environments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS is exploited via crafted malicious links (T1566.002 Spearphishing Link) that execute arbitrary JavaScript in the victim's browser (T1059.007 JavaScript), as directly described in the attack vector requiring user interaction like clicking a phishing link.