CVE-2025-26563
Published: 03 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-26563 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS), in the rocket-wp-mobile WordPress plugin by Muneeb Mobile. The issue affects Mobile plugin versions from n/a through 1.3.3 and is associated with CWE-79.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely over the network by unauthenticated attackers requiring low complexity and user interaction, such as visiting a malicious link. Exploitation changes scope and allows limited impacts on confidentiality, integrity, and availability, typically through script execution in the victim's browser context.
The Patchstack advisory provides details on this vulnerability in the rocket-wp-mobile plugin at https://patchstack.com/database/Wordpress/Plugin/rocket-wp-mobile/vulnerability/wordpress-rocket-mobile-plugin-0-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS in a public-facing WordPress plugin is exploited via crafted malicious links requiring user interaction to trigger browser script execution, directly mapping to exploiting public-facing apps and user execution via malicious links.