CVE-2025-26913

Vulnerability

Description The AR For WordPress plugin (versions ≤ 7.7) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw falls under CWE-79, where unsanitized data can be embedded in the DOM and executed in the victim's browser.

Exploitation

Conditions Exploitation requires user interaction — a privileged user must click a malicious link, visit a crafted page, or submit a specially formed request. The attacker can initiate the attack with the privileges shown in the required role, but successful injection depends on the victim performing an action. The vulnerability is DOM-based, meaning the payload executes within the browser's DOM environment rather than on the server side.

Impact

If exploited, an attacker can inject arbitrary scripts, such as redirects, advertisements, or other HTML payloads, which execute when other site visitors access the affected page. This could lead to defacement, data theft, or phishing attacks, though the reference notes a low severity and low likelihood of mass exploitation.

Mitigation

The vulnerability has been patched in version 7.8. Users are strongly advised to update to that version immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contact a hosting provider or web developer for assistance [1].