CVE-2026-25369

Vulnerability

Overview

The Flexmls® IDX plugin for WordPress, versions 3.15.9 and earlier, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This type of flaw occurs when an application includes unvalidated or unescaped data in an HTTP response, enabling an attacker to inject arbitrary HTML or JavaScript code.

Exploitation

Conditions

Exploitation requires user interaction—a privileged user must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. While the attack can be initiated by an unauthenticated actor (the attacker sends the malicious link), the vulnerable endpoint is triggered when the victim (e.g., a site administrator) performs the action. No special network position is needed; the attack works over the public internet.

Impact

A successful exploit allows the attacker to inject scripts that execute in the context of the victim’s browser session on the affected WordPress site. This could lead to redirection to malicious sites, injection of advertisements, or other HTML payloads that alter the page behavior when visited by site guests [1]. The CVSS v3 score of 7.1 (High) reflects the moderate-to-serious risk, and the vulnerability is expected to be used in mass-exploit campaigns targeting thousands of sites regardless of traffic size [1].

Mitigation

The vulnerability is remediated in plugin version 3.15.10. Users are strongly advised to update immediately [1]. For those unable to update, Patchstack provides a virtual mitigation rule that blocks attacks until the update can be applied. No other workarounds are documented.