CVE-2025-26554
Published: 15 March 2025
Summary
CVE-2025-26554 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper neutralization of input by requiring validation of all information inputs to prevent reflected XSS payloads from being processed.
Mitigates reflected XSS by filtering and encoding information outputs prior to rendering in web pages, preventing malicious script execution in victims' browsers.
Ensures timely identification, mitigation, and patching of the specific flaw in the WP Discord Post plugin up to version 2.1.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS is exploited via crafted malicious links (T1566.002 Spearphishing Link) that execute arbitrary JavaScript in the victim's browser (T1059.007 JavaScript), as directly described in the attack vector requiring user interaction like clicking a phishing link.
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicola Mustone WP Discord Post wp-discord-post allows Reflected XSS.This issue affects WP Discord Post: from n/a through <= 2.1.0.
Deeper analysisAI
CVE-2025-26554 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Discord Post plugin developed by Nicola Mustone for WordPress. The issue affects the plugin from unspecified initial versions through version 2.1.0 inclusive. Published on 2025-03-15, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this vulnerability remotely without authentication or privileges by crafting malicious input that reflects unsanitized on a web page, requiring user interaction such as clicking a phishing link or visiting a malicious site. Exploitation occurs in the victim's browser context, enabling limited impacts on confidentiality (e.g., stealing session cookies), integrity (e.g., modifying page content), and availability, with the changed scope potentially allowing actions across security boundaries on the same site.
Patchstack has documented this reflected XSS vulnerability specifically in WP Discord Post plugin version 2.1.0, providing details for security practitioners to assess and address exposure in affected WordPress environments.
Details
- CWE(s)