CVE-2025-26980

Vulnerability

Overview

The Wired Impact Volunteer Management plugin for WordPress (versions up to 2.5) contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This flaw allows an attacker with a privileged role (e.g., administrator or editor) to inject arbitrary JavaScript or HTML into the plugin's pages, which is then stored and executed when other users visit those pages. The vulnerability is classified as CWE-79 and carries a CVSS v3 score of 6.5 (Medium). [1]

Exploitation

Requirements

Exploitation requires a user with sufficient privileges (as defined by the plugin's roles) to inject malicious payloads through input fields that are not sanitized. The attacker must be authenticated and able to submit crafted data; the stored payload will trigger when any user (including unauthenticated visitors) accesses the affected page. User interaction is not required from the victim beyond browsing to the infected page. [1]

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the browser context of visitors, leading to potential data theft, session hijacking, defacement, redirection to malicious sites, or injection of advertisements. Because the XSS is stored, the payload persists and affects all subsequent visitors until the malicious content is removed. [1]

Mitigation

The vendor has released version 2.5.1 which fixes the vulnerability by properly sanitizing user input. Administrators are strongly advised to update the plugin immediately. For sites unable to update, a temporary workaround is to disable the plugin or restrict access to the vulnerable functionality until patching is possible. The advisory notes that while the severity is medium, such vulnerabilities are frequently leveraged in mass exploitation campaigns against WordPress sites. [1]