CVE-2025-26991

Vulnerability

Overview

The WPPizza plugin for WordPress versions 3.19.4 and earlier contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the victim's browser [1].

Exploitation

Prerequisites

Exploitation requires user interaction: a privileged user (e.g., administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form. The attacker does not need authentication but relies on tricking an authenticated user into performing the action. This makes the vulnerability suitable for mass-exploit campaigns targeting multiple WordPress sites [1].

Impact

Successful exploitation enables the attacker to execute arbitrary scripts in the context of the victim's session. This can lead to redirects, injection of advertisements, theft of session cookies, or other malicious actions that compromise the site's integrity and user trust [1].

Mitigation

The vendor has released version 3.19.5 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a virtual mitigation rule to block attacks until the patch is applied [1].