Cyber Posture

CVE-2025-26751

High

Published: 25 February 2025

Published
25 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0011 29.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-26751 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Alphabetic Pagination WordPress plugin by Fahad Mahmood. The issue affects all versions of the plugin from n/a through 3.2.1 inclusive.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted input reflected in web page generation, potentially achieving low impacts on confidentiality, integrity, and availability within a changed scope.

Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/alphabetic-pagination/vulnerability/wordpress-alphabetic-pagination-plugin-3-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-79

MITRE ATT&CK Enterprise Techniques

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Reflected XSS allows crafting malicious links (T1204.001) that execute arbitrary JavaScript (T1059.007) in the victim's browser upon interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References