CVE-2025-26981

Vulnerability

Overview

The Web Accessibility By accessiBe WordPress plugin, versions 2.5 and earlier, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw belongs to the category of Cross-site Scripting (CVE-2025-26981) and can be exploited remotely without authentication, though user interaction is required (e.g., clicking a crafted link) [1].

Exploitation

Prerequisites and Attack Surface

An attacker can exploit this vulnerability by crafting a malicious link containing injected script payloads. The victim must be logged into WordPress and click the link or visit a specially crafted page. No elevated privileges are required on the attacker's part, and the attack does not require user interaction beyond the initial click. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size [1].

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the victim's browser session within the context of the WordPress admin dashboard or front-end, depending on the vulnerable endpoint. This can lead to redirects, display of advertisements, theft of session cookies, or other malicious actions performed on behalf of the victim user [1].

Mitigation

The vulnerability has been addressed in version 2.6 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a virtual patching rule to block attacks. Turn on auto-updates for vulnerable plugins where possible [1].