CVE-2025-26918
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26918 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Small Package Quotes – Unishippers Edition by enituretechnology. The issue affects the plugin in all versions from n/a through 2.4.9 inclusive. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and changed scope.
Unauthenticated attackers can exploit this vulnerability remotely by crafting malicious input that reflects unsanitized on a web page, requiring user interaction such as clicking a specially prepared link. Exploitation occurs in the victim's browser context, enabling limited impacts on confidentiality, integrity, and availability, such as potential session hijacking or script execution within the site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/small-package-quotes-unishippers-edition/vulnerability/wordpress-small-package-quotes-unishippers-edition-plugin-2-4-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the vulnerability specifically for versions up to 2.4.9, providing details for practitioners to assess affected installations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables malicious script execution in victim's browser, directly facilitating browser session hijacking (T1185) and stealing web session cookies (T1539).