CVE-2025-26588
Published: 03 March 2025
Summary
CVE-2025-26588 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-26588 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the TTT Crop WordPress plugin developed by gabrielperezs. This issue affects all versions of the plugin from its initial release through version 1.0 inclusive. The vulnerability was published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but reliant on user interaction. Remote attackers can craft malicious inputs that reflect back to users, such as via phishing links or crafted URLs, tricking authenticated or unauthenticated users into executing arbitrary JavaScript in their browsers within the site's context. This enables potential theft of session cookies, keystroke logging, or minor disruptions, with low impacts on confidentiality, integrity, and availability due to the changed scope.
The Patchstack advisory documents the Reflected XSS vulnerability specifically in TTT Crop plugin version 1.0 for WordPress, providing details on the issue for security practitioners to review.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5608
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gabrielperezs TTT Crop ttt-crop allows Reflected XSS.This issue affects TTT Crop: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in browser (T1059.007) for impacts like cookie theft and keylogging.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs to prevent malicious scripts from being reflected back in web pages, directly addressing the reflected XSS vulnerability in TTT Crop.
SI-10 enforces validation of user inputs to block malicious payloads before they are processed and reflected by the WordPress plugin.
SI-2 mandates identification and remediation of flaws, such as patching the TTT Crop plugin to fix the improper input neutralization leading to XSS.