CVE-2025-26937

Vulnerability

Overview CVE-2025-26937 is a stored Cross-Site Scripting (XSS) vulnerability in the bPlugins Icon List Block plugin (icon-list-block) for WordPress. The plugin fails to properly neutralize user input during web page generation, enabling attackers with contributor-level access or higher to inject arbitrary JavaScript or HTML into posts or pages that use the block [1].

Exploitation

Context To exploit this vulnerability, an attacker must have a WordPress account with at least Contributor privileges and the ability to create or edit posts containing the Icon List Block. The injected payload is stored on the server and automatically executed in the browsers of any visitor viewing the compromised page; no additional user interaction is required from the victim [1].

Impact

Successful exploitation allows an attacker to perform a range of malicious actions, including redirecting visitors to phishing sites, displaying unwanted advertisements, stealing session cookies, or defacing the website. Because the XSS is stored, the payload affects all subsequent visitors until the malicious content is removed [1].

Mitigation

The vendor has released version 1.1.4 which fixes the vulnerability. Users are strongly advised to update to this version immediately. Patchstack users can enable auto-updates for vulnerable plugins. Those unable to update should contact their hosting provider or a web developer for assistance [1].