CVE-2025-26588
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26588 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the TTT Crop WordPress plugin developed by gabrielperezs. This issue affects all versions of the plugin from its initial release through version 1.0 inclusive. The vulnerability was published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but reliant on user interaction. Remote attackers can craft malicious inputs that reflect back to users, such as via phishing links or crafted URLs, tricking authenticated or unauthenticated users into executing arbitrary JavaScript in their browsers within the site's context. This enables potential theft of session cookies, keystroke logging, or minor disruptions, with low impacts on confidentiality, integrity, and availability due to the changed scope.
The Patchstack advisory documents the Reflected XSS vulnerability specifically in TTT Crop plugin version 1.0 for WordPress, providing details on the issue for security practitioners to review.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in browser (T1059.007) for impacts like cookie theft and keylogging.