CVE-2025-26984
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26984 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Cozy Vision SMS Alert Order Notifications plugin (sms-alert) for WordPress. This issue affects all versions of the plugin from its initial release through 3.7.8.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Unauthenticated attackers with network access can exploit it through low-complexity attacks that require user interaction, such as tricking victims into visiting a malicious URL or interacting with crafted input reflected on the page. Exploitation enables script execution in the context of the victim's browser, resulting in low impacts to confidentiality, integrity, and availability, with a changed scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-woocommerce-plugin-3-7-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this vulnerability in the WordPress SMS Alert Order Notifications WooCommerce plugin version 3.7.8, recommending mitigation through updating to a patched version beyond 3.7.8.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables T1190 exploitation via crafted malicious URLs (T1204.001) that trigger JavaScript execution (T1059.007) in the victim's browser.