CVE-2025-26569

CVE-2025-26569 is a Cross-Site Request Forgery (CSRF) vulnerability in the Post Thumbs WordPress plugin by callmeforsox, which enables Stored Cross-Site Scripting (XSS). The issue affects all versions of Post Thumbs from n/a through 1.5 inclusive. Published on 2025-02-13, it has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-352.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, requiring only user interaction such as clicking a malicious link. By tricking a user into submitting a forged request—typically via a malicious webpage—the attacker can store an XSS payload on the target site. This leads to script execution in the context of other site users or administrators who view the affected content, with changed scope and low impacts to confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this vulnerability, including mitigation recommendations, at https://patchstack.com/database/Wordpress/Plugin/post-thumbs/vulnerability/wordpress-post-thumbs-plugin-1-5-csrf-to-stored-xss-vulnerability?_s_id=cve.