CVE-2025-26564

CVE-2025-26564 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the GNUCommerce WordPress plugin. This issue impacts all versions from n/a through 1.5.4, allowing malicious input to be insufficiently sanitized and reflected back in dynamically generated web pages.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can craft and deliver malicious payloads via user-supplied input, such as URLs or form data, tricking authenticated users into triggering the reflection. Successful exploitation executes arbitrary JavaScript in the victim's browser context within the site's scope, enabling potential theft of session cookies, account takeover, or site defacement with low impacts on confidentiality, integrity, and availability, amplified by the changed scope.

Mitigation details are available in advisories like the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/gnucommerce/vulnerability/wordpress-gnucommerce-plugin-1-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which documents the vulnerability in the context of the WordPress gnucommerce plugin version 1.5.4.