Cyber Resilience

CVE-2025-26545

High

Published: 13 February 2025

Published
13 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0010 26.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26545 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-26545 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Related Posts Line-up-Exactly by Milliard (related-posts-line-up-exactry-by-milliard) that allows Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from n/a through 0.0.22 inclusive. It is associated with CWE-352 and has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network-based exploitation with low complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) by tricking an authenticated user, typically an administrator, into performing an unintended action via a malicious webpage or link (UI:R). This forged request injects and stores an XSS payload through the plugin's functionality, which executes in the browser context of subsequent users viewing affected pages, enabling potential theft of sensitive data like session cookies or further site compromise.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/related-posts-line-up-exactry-by-milliard/vulnerability/wordpress-related-posts-line-up-exactly-by-milliard-plugin-0-0-22-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-Stored XSS vulnerability in the Related Posts Line-up-Exactly by Milliard plugin version 0.0.22. Security practitioners should consult this reference for specific mitigation recommendations, such as applying available patches or removing the vulnerable plugin.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard related-posts-line-up-exactry-by-milliard allows Stored XSS.This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through <= 0.0.22.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

The CVE describes a CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application). The attack requires tricking an admin via a malicious link or webpage, facilitating T1566.002 (Spearphishing Link). The resulting stored XSS payload executes in victim browsers to steal session cookies, enabling T1185 (Browser Session Hijacking).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30572Shared CWE-352
CVE-2026-3857Shared CWE-352
CVE-2025-23900Shared CWE-352
CVE-2026-29784Shared CWE-352
CVE-2025-25140Shared CWE-352
CVE-2025-23567Shared CWE-352
CVE-2025-31443Shared CWE-352
CVE-2025-31444Shared CWE-352
CVE-2025-22690Shared CWE-352
CVE-2025-26577Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific CSRF-to-stored XSS flaw in the vulnerable WordPress plugin by requiring identification, prioritization, and patching or removal.

prevent

Enforces session authenticity mechanisms like CSRF tokens to prevent unauthenticated attackers from tricking authenticated users into injecting XSS payloads via forged requests.

prevent

Validates information inputs to the plugin's related posts functionality, blocking malicious XSS payloads from being stored even if a CSRF request succeeds.

References