CVE-2025-26542
Published: 26 March 2025
Summary
CVE-2025-26542 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-26542 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Zalo Live Chat WordPress plugin developed by Dang Ngoc Binh. The issue affects all versions of the zalo-live-chat plugin from n/a through 1.1.0 inclusive. Published on 2025-03-26, it carries a CVSS v3.1 base score of 7.1.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and it results in a changed scope (S:C) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). A remote unauthenticated attacker could craft malicious input that, when reflected in a web page and interacted with by a user (such as via a phishing link), executes arbitrary JavaScript in the victim's browser context.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/zalo-live-chat/vulnerability/wordpress-zalo-live-chat-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8175
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dang Ngoc Binh Zalo Live Chat zalo-live-chat allows Reflected XSS.This issue affects Zalo Live Chat: from n/a through <= 1.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web application (T1190) to execute arbitrary JavaScript in the browser (T1059.007) via crafted malicious links.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Filters reflected user inputs during web page generation to neutralize XSS payloads and prevent arbitrary JavaScript execution in victims' browsers.
Validates malicious inputs to the Zalo Live Chat plugin before processing, blocking CWE-79 reflected XSS exploitation.
Mandates identification, reporting, and correction of the specific flaw in Zalo Live Chat versions <=1.1.0 to remediate the XSS vulnerability.