CVE-2025-26554

This reflected cross-site scripting (XSS) vulnerability in the WP Discord Post plugin for WordPress arises from improper neutralization of user-supplied input during web page generation. The plugin fails to sanitize or escape certain parameters before including them in HTTP responses, allowing an attacker to inject arbitrary HTML or JavaScript code [1].

The attack surface is a crafted URL containing the malicious payload. While the required privilege is low, successful exploitation requires user interaction — a victim with appropriate roles must click the malicious link, visit a crafted page, or submit a specially formed form. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

An attacker exploiting this vulnerability can inject scripts that execute in the context of the victim's browser session. Potential impacts include redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or defacing the website. The CVSS v3 base score is 7.1 (High), and the vulnerability is rated moderately dangerous with exploitation expected [1].

Patchstack has issued a mitigation rule to block attacks until an official patch is available, tested, and safely applied. As immediate action, users should update the WP Discord Post plugin beyond version 2.1.0, or apply the provided mitigation if unable to update [1].