CVE-2025-26991
Published: 25 February 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26991 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WPPizza WordPress plugin developed by ollybach, impacting all versions from n/a through 3.19.4.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), meaning unauthenticated attackers can exploit it remotely with low complexity by tricking users into interacting with a malicious link or payload. Successful exploitation reflects attacker-controlled input into the web page, executing arbitrary scripts in the victim's browser within the site's context, potentially leading to session hijacking, data theft, or site defacement with low impacts on confidentiality, integrity, and availability due to the changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wppizza/vulnerability/wordpress-wppizza-plugin-3-19-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the issue and should be consulted for mitigation guidance, including any available patches or workarounds for affected WPPizza installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables exploitation via malicious link (T1204.001), arbitrary JavaScript execution in browser (T1059.007), browser session hijacking (T1185), and stealing web session cookies (T1539).