CVE-2026-25347
Published: 25 March 2026
Summary
CVE-2026-25347 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-25347 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Acato WP REST Cache (wp-rest-cache) WordPress plugin. This issue affects all versions from n/a through 2026.1.0, as published on 2026-03-25.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with changed scope and low impacts across confidentiality, integrity, and availability. Unauthenticated remote attackers can exploit it by injecting malicious payloads that persist and execute in users' browsers when viewing affected pages generated by the plugin.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-rest-cache/vulnerability/wordpress-wp-rest-cache-plugin-2026-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve details the Stored XSS vulnerability in WP REST Cache version 2026.1.0 and provides information relevant to mitigation for affected WordPress installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15663
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Acato WP REST Cache wp-rest-cache allows Stored XSS.This issue affects WP REST Cache: from n/a through <= 2026.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WP plugin enables remote injection (T1190) of persistent JS payloads that execute in visitor browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the Stored XSS vulnerability in WP REST Cache by requiring timely patching of the affected plugin versions up to 2026.1.0.
Prevents Stored XSS exploitation by filtering outputs prior to storage or transmission to block malicious payloads injected via the plugin's web page generation.
Mitigates improper neutralization of input in the WP REST Cache plugin by validating and rejecting malicious inputs that could lead to persistent XSS payloads.