CVE-2025-26575
Published: 26 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26575 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Display Post Meta WordPress plugin by Kyle Maurer. The issue affects the plugin from its initial release (n/a) through version 2.4.4.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network with low attack complexity and no privileges required, though it demands user interaction such as clicking a malicious link. An unauthenticated attacker can inject and reflect malicious scripts via user-controlled input during web page generation, executing them in the victim's browser context and achieving low impacts on confidentiality, integrity, and availability due to the changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/display-post-meta/vulnerability/wordpress-display-post-meta-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a reflected XSS vulnerability (CWE-79) in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications to execute malicious scripts in the victim's browser context.