CVE-2025-26578

CVE-2025-26578 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Simple Documentation WordPress plugin (client-documentation) developed by mathieuhays. This flaw allows for Stored Cross-Site Scripting (XSS) and affects all versions from unknown initial release through 1.2.8. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change despite needing user interaction.

Attackers can exploit this vulnerability remotely without authentication by tricking authenticated users into interacting with a malicious webpage or link that submits a forged request to the vulnerable plugin. This enables the injection and storage of XSS payloads, which execute in the context of other users viewing the affected documentation, potentially leading to session hijacking, data theft, or further site compromise with low impacts on confidentiality, integrity, and availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/client-documentation/vulnerability/wordpress-simple-documentation-plugin-1-2-8-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-stored-XSS issue in Simple Documentation version 1.2.8. Published on 2025-02-13, no specific patch details are outlined in available information, but updating beyond version 1.2.8 is implied for mitigation.