Cyber Posture

CVE-2025-26987

High

Published: 25 February 2025

Published
25 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0011 28.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-26987 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Shabti Kaplan Frontend Admin by DynamiApps acf-frontend-form-element WordPress plugin. This issue affects Frontend Admin by DynamiApps versions from n/a through 3.25.17. Published on 2025-02-25, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity by tricking users into performing an action, such as clicking a malicious link. Exploitation enables script execution in the victim's browser context, potentially leading to low impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor modifications), and availability (e.g., minor disruptions), with a changed scope affecting other users or resources.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/acf-frontend-form-element/vulnerability/wordpress-frontend-admin-by-dynamiapps-plugin-3-25-17-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in version 3.25.17 and provides guidance on mitigation for affected WordPress installations.

Details

CWE(s)
CWE-79

Affected Products

dynamiapps
frontend admin
≤ 3.25.18

MITRE ATT&CK Enterprise Techniques

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Reflected XSS is exploited by tricking users into clicking a malicious link, enabling arbitrary JavaScript execution in the victim's browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References