CVE-2025-26945

Vulnerability

Overview

The Info Cards plugin for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw affects all versions up to and including 1.0.5 [1].

Exploitation

Attackers with contributor-level privileges (or higher) can inject arbitrary scripts into the plugin's cards, which are then stored and executed when any user views the affected page. Exploitation requires user interaction from a privileged user to initiate the injection, but no further user action is needed for the payload to execute on subsequent visits [1].

Impact

Successful exploitation enables an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, redirection to malicious sites, forced advertisements, or other HTML/JavaScript payloads. This can compromise the integrity and confidentiality of the affected WordPress site [1].

Mitigation

bPlugins has released version 1.0.6, which fixes the vulnerability. All users are strongly advised to update immediately. For those unable to update, applying a virtual patch or using a web application firewall can reduce risk, but updating is the definitive solution [1].