CVE-2025-26552

The Naver Syndication V2 plugin for WordPress fails to properly sanitize user input before storing it, leading to a stored cross-site scripting (XSS) vulnerability. This allows an attacker to inject arbitrary JavaScript or HTML that will be executed when other users access the affected page [1].

The vulnerability can be triggered via a Cross-Site Request Forgery (CSRF) attack. An attacker can craft a malicious link or form that, when clicked by a privileged user (e.g., an administrator), causes the plugin to store the malicious payload. No direct authentication is needed for the attacker, but they must trick a logged-in user into performing the action [1].

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data. The Patchstack advisory notes that such vulnerabilities are used in mass-exploit campaigns targeting thousands of websites [1].

The vulnerability affects versions up to 0.8.3. Users should update the plugin to a patched version if available. If no update is available, consider disabling the plugin or implementing a web application firewall. The advisory emphasizes immediate action due to active exploitation [1].