CVE-2025-26556

CVE-2025-26556 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79, in the zzmaster WP AntiDDOS plugin (wpantiddos) for WordPress. This issue affects all versions from n/a through 2.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, reflecting network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), user interaction (UI:R), changed scope (S:C), and low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network without authentication by crafting malicious inputs or links that are reflected unsanitized in the web page generation process. Exploitation requires a victim to interact with the malicious payload, such as clicking a link, which executes JavaScript in the context of the vulnerable WordPress site. This can enable theft of session cookies, keystroke logging, or other client-side attacks within the site's scope, potentially compromising user accounts or performing actions on behalf of the victim.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wpantiddos/vulnerability/wordpress-wp-antiddos-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve, provide details on the vulnerability in WP AntiDDOS plugin version 2.0 and related mitigations for affected installations.