CVE-2025-26586
Published: 03 March 2025
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Security Summary
CVE-2025-26586 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Events Planner WordPress plugin developed by abelony. The issue affects all versions of the events-planner plugin up to and including 1.3.10, as published on 2025-03-03.
An unauthenticated remote attacker can exploit this vulnerability by crafting malicious input that is reflected without proper neutralization during web page generation, requiring user interaction such as clicking a malicious link. Successful exploitation executes arbitrary scripts in the victim's browser context within the site's scope, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), enabling low impacts to confidentiality, integrity, and availability due to the changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/events-planner/vulnerability/wordpress-events-planner-plugin-1-3-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability enables an attacker to inject and execute arbitrary JavaScript in the victim's browser by reflecting malicious input via a crafted URL/link to the vulnerable public-facing WordPress plugin site, directly facilitating drive-by compromise where a user visits the site and the malicious script executes in their browser context.