CVE-2025-26568

CVE-2025-26568 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "Easy Amazon Product Information" by jensmueller, also referred to as easy-amazon-product-information, that allows Stored Cross-Site Scripting (XSS). This issue affects all versions of the plugin from n/a through 4.0.1 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an unauthenticated attacker with network access and low complexity, though it requires user interaction from a victim, such as an authenticated WordPress user or administrator. In an attack scenario, the adversary tricks the victim into visiting a malicious webpage that submits a forged request to the vulnerable plugin endpoint, enabling the storage of a malicious XSS payload on the site. This Stored XSS can then execute in the context of other users' browsers, potentially leading to session hijacking, data theft, or further site compromise, with low impacts to confidentiality, integrity, and availability but changed scope.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/easy-amazon-product-information/vulnerability/wordpress-easy-amazon-product-information-plugin-4-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve details this CSRF to Stored XSS vulnerability in the plugin version 4.0.1. Security practitioners should consult the advisory for guidance on verification, patching, and mitigation steps.