CVE-2025-26544
Published: 26 March 2025
Summary
CVE-2025-26544 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-26544 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Cross-site Scripting (CWE-79), specifically Reflected XSS, in the Max K UTM tags tracking for Contact Form 7 WordPress plugin (cf7-utm-tracking). This issue affects all versions from n/a through 2.1 inclusive. Published on 2025-03-26, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
A remote attacker requires no privileges and can exploit it over the network with low attack complexity, though user interaction is necessary, such as a victim accessing a malicious link or page. Exploitation results in reflected XSS, allowing script execution in the victim's browser context and achieving low impacts on confidentiality, integrity, and availability across the changed scope.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/cf7-utm-tracking/vulnerability/wordpressutm-tags-landing-page-plugin-1-4-csrf-to-stored-xss-vulnerability?_s_id=cve documents the vulnerability and likely includes guidance on patches or mitigations for affected WordPress installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8174
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Max K UTM tags tracking for Contact Form 7 cf7-utm-tracking allows Reflected XSS.This issue affects UTM tags tracking for Contact Form 7: from n/a through <= 2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary JavaScript execution in the victim's browser context (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of untrusted inputs to prevent improper neutralization during web page generation that enables reflected XSS.
Filters and sanitizes information outputs to block malicious script injection in reflected XSS attacks.
Requires timely identification, reporting, and correction of flaws like this plugin vulnerability to eliminate the XSS risk.