CVE-2025-26575
Published: 26 March 2025
Summary
CVE-2025-26575 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-26575 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Display Post Meta WordPress plugin by Kyle Maurer. The issue affects the plugin from its initial release (n/a) through version 2.4.4.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network with low attack complexity and no privileges required, though it demands user interaction such as clicking a malicious link. An unauthenticated attacker can inject and reflect malicious scripts via user-controlled input during web page generation, executing them in the victim's browser context and achieving low impacts on confidentiality, integrity, and availability due to the changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/display-post-meta/vulnerability/wordpress-display-post-meta-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8166
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Maurer Display Post Meta display-post-meta allows Reflected XSS.This issue affects Display Post Meta: from n/a through <= 2.4.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a reflected XSS vulnerability (CWE-79) in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications to execute malicious scripts in the victim's browser context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates filtering of outputs during web page generation to neutralize unsanitized user inputs and prevent reflected XSS execution in the victim's browser.
Requires validation of user-controlled inputs to the Display Post Meta plugin, addressing the improper neutralization that enables script injection.
Ensures timely identification, reporting, and patching of the specific flaw in Display Post Meta versions through <=2.4.4 to remediate the XSS vulnerability.