CVE-2025-26548

Vulnerability

Overview

The Random Image Selector plugin for WordPress versions up to and including 2.4 suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into a page.

Exploitation

An unauthenticated attacker can craft a malicious link containing the XSS payload. Exploitation requires a logged-in user with administrative or other privileges to click the link, which then executes the injected script in the context of the victim's session [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting WordPress sites.

Impact

Successful exploitation enables the attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing sensitive information like session cookies. The CVSS score of 7.1 (High) reflects the potential for significant harm, though user interaction is required [1].

Mitigation

Users are advised to update the Random Image Selector plugin to the latest available version as soon as a patch is released. In the interim, Patchstack offers a virtual mitigation rule that blocks exploitation attempts until an official fix can be applied [1].