CVE-2025-26897

Vulnerability

Overview

The List Related Attachments widget plugin for WordPress versions n/a through 2.1.6 contains an Improper Neutralization of Input During Web Page Generation vulnerability, leading to DOM-based Cross-Site Scripting (XSS) [1]. The flaw arises because the plugin fails to properly sanitize user-supplied input before including it in dynamically generated web pages, allowing attacker-controlled data to be interpreted as script code in the browser DOM.

Exploitation

Prerequisites

Successful exploitation requires some user interaction: a privileged user (such as an administrator) must perform an action like clicking a crafted link, visiting a specially prepared page, or submitting a malicious form [1]. No direct authentication from the attacker is needed, but the attack vector depends on tricking an authenticated user into triggering the payload.

Impact

An attacker exploiting this XSS can inject arbitrary malicious scripts into the victim's browser when they visit the WordPress site [1]. Common payloads include redirects to attacker-controlled sites, unwanted advertisements, or other HTML/JavaScript that executes in the context of the vulnerable site. This could lead to session hijacking, defacement, or further compromise of the WordPress installation.

Mitigation

The vendor has not released a patched version for this vulnerability; users are advised to update the plugin to a secure version if available, or to apply workarounds such as Web Application Firewall (WAF) rules or contacting their hosting provider for assistance [1]. Given that similar XSS vulnerabilities are often used in mass-exploit campaigns, immediate action is recommended.