CVE-2025-23726

Vulnerability

Overview CVE-2025-23726 is a reflected cross-site scripting (XSS) vulnerability in the ComparePress plugin for WordPress, affecting versions 2.0.8 and earlier. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the response [1].

Exploitation

To exploit this vulnerability, an attacker must trick a user (such as an administrator) into clicking a crafted link or visiting a specially prepared page. The attack does not require authentication on the attacker's part, but successful exploitation depends on the victim performing an action like clicking a malicious URL. This pattern is commonly used in mass-exploit campaigns targeting multiple websites simultaneously [1].

Impact

If triggered, the injected script can execute in the context of the victim's browser, leading to actions such as redirecting users to malicious sites, displaying unwanted advertisements, or stealing session cookies. The vulnerability has a CVSS v3.1 score of 7.1 (High), indicating significant risk [1].

Mitigation

Users are strongly advised to update the ComparePress plugin to a patched version as soon as possible. If an immediate update is not feasible, applying a mitigation rule (e.g., from Patchstack) can block exploitation attempts until an official fix is available [1].