CVE-2025-26989
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26989 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the softdiscover Zigaform zigaform-form-builder-lite WordPress plugin. This issue affects all versions of the plugin from n/a through 7.4.2 inclusive. The vulnerability was published on 2025-03-03.
The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation, with changed scope and low impacts to confidentiality, integrity, and availability. Unauthenticated attackers can submit malicious input that is stored and later rendered without neutralization on web pages, executing scripts in the browsers of users (such as site administrators) who view the affected content.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/zigaform-form-builder-lite/vulnerability/wordpress-zigaform-form-builder-lite-plugin-7-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the Zigaform Form Builder Lite plugin up to version 7.4.2.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 exploitation of the vulnerable application; allows arbitrary JavaScript execution in victim browsers (T1059.007) for browser session hijacking (T1185) and stealing web session cookies (T1539).