CVE-2025-26972
Published: 15 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-26972 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Cross-site Scripting (CWE-79), specifically a reflected XSS issue in the PrivateContent WordPress plugin. It affects all versions of the plugin from an unspecified initial release through 8.11.5. The vulnerability was published on 2025-03-15 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as clicking a malicious link. Exploitation changes scope (S:C) and allows limited impacts: low confidentiality (C:L) via potential session hijacking or data exfiltration in the victim's browser context, low integrity (I:L) through script injection, and low availability (A:L).
The Patchstack advisory provides details on the vulnerability, including remediation guidance for the PrivateContent WordPress plugin up to version 8.11.5, available at https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of the web app (T1190) and directly facilitates browser session hijacking via injected scripts (T1185).