CVE-2025-26551

Vulnerability

Overview

The Bootstrap collapse WordPress plugin (versions through 1.0.4) suffers from a stored cross-site scripting (XSS) vulnerability caused by improper neutralization of user-supplied input during web page generation. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and is rated High with a CVSS v3 score of 7.1 [1].

Exploitation

Mechanism

This vulnerability can be exploited through a cross-site request forgery (CSRF) attack. An attacker crafts a malicious link or form; if a privileged user (such as an administrator) interacts with it while authenticated, the attacker can force the execution of unwanted actions under the victim's session. Exploitation requires user interaction from the target, making it a chained CSRF-to-stored-XSS attack. The plugin's failure to validate or sanitize input allows the injected script to be stored, persisting across page loads [1].

Impact

A successful attack results in stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. Because the script is stored, it affects all users who view the compromised page, widening the potential damage.

Mitigation

Status

The vendor has released a fix; users are strongly advised to update the plugin to the latest available version immediately. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. Given that such vulnerabilities are frequently used in mass-exploit campaigns, timely patching is critical [1].