CVE-2025-26879
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26879 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the s2Member WordPress plugin developed by Cristián Lávaque. This issue affects s2Member versions from n/a through <= 241216. The vulnerability was published on 2025-03-03T14:15:56.213 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it necessitates user interaction such as clicking a malicious link. Upon successful exploitation, adversaries achieve low impacts on confidentiality, integrity, and availability, with a changed scope that elevates the potential effects through the reflected payload, such as session hijacking or phishing within the context of affected WordPress sites.
The primary advisory from Patchstack, available at https://patchstack.com/database/Wordpress/Plugin/s2member/vulnerability/wordpress-s2member-plugin-241216-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, documents the Reflected XSS vulnerability in the s2Member plugin version 241216. Mitigation guidance emphasizes updating to a version beyond the affected range (<= 241216) to address the input neutralization flaw.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly maps to T1190 for initial exploitation of the web application; enables T1539 for stealing session cookies to achieve session hijacking as described in the impact.