CVE-2025-26563

Vulnerability

Overview

The Mobile plugin for WordPress (rocket-wp-mobile) versions from n/a through 1.3.3 contains a reflected cross-site scripting (XSS) vulnerability. The issue stems from improper neutralization of user-supplied input during web page generation [1]. This reflects the classic failure to sanitize or encode output, enabling script injection.

Exploitation

Conditions

An attacker can exploit this vulnerability by crafting a malicious link or form that, when visited or submitted by a privileged user (such as an administrator), executes arbitrary JavaScript in the context of the victim's session. User interaction is required for successful exploitation [1]. The vulnerability does not require authentication for the initial attack vector but relies on a privileged user performing an action on the crafted payload.

Impact

Successful exploitation could allow an attacker to inject malicious scripts into the affected website. This may result in redirects to external sites, display of advertisements, theft of session cookies, or other unauthorized actions when other users visit the site [1]. The CVSS v3 base score is 7.1 (High).

Mitigation and

Remediation

As of the publication date, an official patch had not been released for the affected versions. The vendor advisory recommends updating the plugin to a patched version as soon as available. In the interim, a mitigation rule from Patchstack can block attacks until a safe update can be applied [1]. Users unable to patch immediately should consult their hosting provider or a web developer for assistance.