CVE-2025-26981

CVE-2025-26981 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the Web Accessibility By accessiBe WordPress plugin developed by accessiBe. This issue impacts all versions of the plugin up to and including 2.5. The vulnerability has a CVSS v3.1 base score of 7.1, reflecting its high severity due to network accessibility and scope change.

A remote attacker with no privileges required can exploit this vulnerability over the network with low complexity by tricking a user into interacting with malicious content, such as clicking a crafted link. Successful exploitation enables the attacker to inject and execute arbitrary scripts in the victim's browser context, potentially leading to low-level impacts on confidentiality, integrity, and availability, including theft of session data or minor page manipulation, with the attack scope expanded to the browser environment.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/accessibe/vulnerability/wordpress-web-accessibility-by-accessibe-plugin-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability, including recommended mitigations such as updating to a patched version beyond 2.5. Security practitioners should verify plugin updates and apply input sanitization best practices for web accessibility tools.