CVE-2025-26917
Published: 03 March 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-26917 is an Improper Neutralization of Input During Web Page Generation vulnerability, manifesting as a Reflected Cross-site Scripting (XSS) issue under CWE-79. It affects the WP Templata plugin (wptemplata) developed by HasThemes for WordPress, impacting all versions from n/a through 1.0.7 inclusive. The vulnerability was published on 2025-03-03.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the flaw is exploitable over the network with low attack complexity and no privileges required, though it demands user interaction. Remote attackers can trick authenticated or unauthenticated users into interacting with maliciously crafted links or inputs that reflect executable scripts in the browser, leveraging the changed scope to impact the site's security context and achieve low confidentiality, integrity, and availability effects.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wptemplata/vulnerability/wordpress-wp-templata-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this reflected XSS in WP Templata version 1.0.7, advising practitioners to monitor for vendor patches or updates to mitigate exposure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting the web app via crafted input) and facilitates T1566.002 (delivery via malicious links that reflect the script).