CVE-2025-26874
Published: 27 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26874 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-Site Scripting (XSS) as classified under CWE-79. It affects the MemberSpace WordPress plugin, with all versions through 2.1.13 vulnerable. The issue was published on 2025-03-27 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but relying on user interaction, such as visiting a maliciously crafted URL. Exploitation changes the security scope, allowing limited impacts on confidentiality, integrity, and availability, typically enabling theft of session cookies, impersonation of authenticated users, or execution of arbitrary scripts in the victim's browser context.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/memberspace/vulnerability/wordpress-memberspace-plugin-2-1-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS issue in MemberSpace plugin version 2.1.13 for WordPress, recommending updates to a version beyond 2.1.13 to mitigate the vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS directly enables arbitrary JavaScript execution in the browser (T1059.007) and facilitates session cookie theft (T1539) leading to browser session hijacking (T1185) via crafted malicious URLs.