CVE-2025-26585
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26585 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the DyadyaLesha DL Leadback WordPress plugin (dl-leadback). It affects all versions from n/a through 1.2.1 inclusive. Published on 2025-03-03T14:15:55.470, the issue has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability enables exploitation over the network with low complexity, requiring no privileges but user interaction. An attacker can deliver malicious payloads via reflected inputs, such as crafted URLs or form submissions, tricking authenticated users into executing scripts in their browser context when accessing affected pages. Successful exploitation yields low impacts on confidentiality, integrity, and availability, with a changed scope allowing potential effects beyond the vulnerable component.
The primary advisory reference from Patchstack (https://patchstack.com/database/Wordpress/Plugin/dl-leadback/vulnerability/wordpress-dl-leadback-plugin-1-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS in DL Leadback version 1.2.1 for WordPress, providing vulnerability details for affected plugin instances.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability allows injection and execution of arbitrary scripts in authenticated users' browsers via crafted URLs, directly enabling browser session hijacking (T1185) and stealing web session cookies (T1539).