CVE-2025-52796

The WP-Recall plugin for WordPress, versions n/a through 16.26.14, contains a reflected cross-site scripting vulnerability due to insufficient sanitization of user input during page generation. This Improper Neutralization of Input During Web Page Generation weakness (CWE-79) enables an attacker to inject arbitrary HTML and JavaScript code into web pages.

Exploitation does not require prior authentication but necessitates user interaction—a privileged user must click a malicious link, visit a crafted page, or submit a specially crafted form. This attack vector is typical of reflected XSS, where the injected payload is immediately executed in the victim's browser session. The vulnerability is considered moderately dangerous and is expected to be incorporated into mass-exploit campaigns targeting thousands of websites simultaneously [1].

If successfully exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser. This can lead to redirecting users to phishing sites, injecting advertisements, or performing other unauthorized actions on the affected website. The CVSS v3 base score of 7.1 (High) reflects the potential impact and ease of exploitation [1].

Patchstack has released a mitigation rule that can block attacks until an official patch is deployed. The recommended immediate action is to update the plugin to a patched version. If updating is not possible, site administrators should contact their hosting provider or a web developer for assistance [1].