CVE-2025-27266

Vulnerability

Overview

The Hover Image Button plugin for WordPress, versions up to and including 1.1.2, contains a DOM-based Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript code that executes in the context of a victim's browser when visiting an affected page.

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator or editor) to perform an action such as clicking a crafted link or submitting a malicious form [1]. The attack vector is network-based with low complexity and no authentication requirements for the attacker, though user interaction is needed to trigger the payload. The vulnerability is classified as DOM-based, meaning the malicious payload modifies the DOM environment in the victim's browser without being reflected in the server response.

Impact

Successful exploitation enables an attacker to execute arbitrary scripts, redirect users to phishing sites, display unwanted advertisements, or steal sensitive information such as session cookies [1]. While the CVSS score of 6.5 reflects a medium severity, the plugin's widespread use makes it attractive for mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has not released a patched version at the time of publication. Users are advised to immediately update the plugin if a fix becomes available, or contact their hosting provider for assistance. As a workaround, consider disabling the plugin until a security update is released [1].