CVE-2026-25352

High

Published: 25 March 2026

Published

25 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 11.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25352 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Directly addresses improper neutralization of input during web page generation by requiring filtering of outputs to prevent reflected XSS execution.

SI-10 Information Input Validation good match

prevent

Validates user-supplied inputs to reject or sanitize malicious JavaScript payloads that enable reflected XSS in the MyDecor theme.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification and patching of flaws like this reflected XSS vulnerability by updating the MyDecor theme to version 1.5.9 or later.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Reflected XSS enables crafting malicious links (T1566.002) that execute arbitrary JavaScript (T1059.007) in the victim's browser, directly facilitating session hijacking (T1185) and data theft as described.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyDecor mydecor allows Reflected XSS.This issue affects MyDecor: from n/a through < 1.5.9.

Deeper analysisAI

CVE-2026-25352 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as CWE-79, enabling Reflected Cross-site Scripting (XSS) in the skygroup MyDecor WordPress theme. This issue affects MyDecor versions from n/a through those prior to 1.5.9. Published on 2026-03-25, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and changed scope with low impacts across confidentiality, integrity, and availability.

Remote attackers without privileges can exploit this vulnerability by crafting malicious inputs that reflect unsanitized user-supplied data in web page generation, tricking victims into interacting via phishing links or similar vectors. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially leading to session hijacking, data theft, or further site compromise, though impacts remain low per the CVSS metrics.

The Patchstack advisory recommends updating the MyDecor theme to version 1.5.9 or later, where the reflected XSS vulnerability is addressed. No other mitigations are specified in available references.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2025-24535Shared CWE-79

CVE-2025-22356Shared CWE-79

CVE-2026-33136Shared CWE-79

CVE-2026-30918Shared CWE-79

CVE-2026-25461Shared CWE-79

CVE-2024-13574Shared CWE-79

CVE-2025-23464Shared CWE-79

CVE-2025-23491Shared CWE-79

CVE-2025-22682Shared CWE-79

CVE-2026-24838Shared CWE-79

References

https://patchstack.com/database/Wordpress/Theme/mydecor/vulnerability/wordpress-mydecor-theme-1-5-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com