CVE-2025-26751

The Alphabetic Pagination plugin for WordPress up to version 3.2.1 contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw falls under CWE-79 and can be triggered without authentication, though user interaction (e.g., clicking a crafted link) is required [1].

An attacker can exploit this by crafting a malicious URL that includes a JavaScript payload in a vulnerable parameter. When a privileged user (such as an administrator) clicks the link, the injected script executes in the context of their session. This attack vector is commonly used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of site traffic or popularity [1].

The impact includes the ability to inject arbitrary HTML and JavaScript, which can lead to redirects, advertisements, cookie theft, or other malicious actions visible to site visitors. The CVSS v3 base score is 7.1 (High), reflecting the potential for significant harm with relatively low attack complexity [1].

The vulnerability is patched in version 3.2.2, released after disclosure. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the plugin is updated. Auto-update features can also be enabled to apply future patches promptly [1].