CVE-2025-26907
Published: 25 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26907 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Stored Cross-site Scripting (XSS), in the Estatik Mortgage Calculator WordPress plugin (estatik-mortgage-calculator). This issue affects all versions from n/a through 2.0.12 inclusive. Published on 2025-02-25T15:15:26.263, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-79.
Low-privileged authenticated users (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), such as injecting malicious scripts that persist and execute for other users viewing affected pages.
The Patchstack advisory provides further details on mitigation: https://patchstack.com/database/Wordpress/Plugin/estatik-mortgage-calculator/vulnerability/wordpress-estatik-mortgage-calculator-plugin-2-0-12-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).