Cyber Resilience

CVE-2026-25352

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 14.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25352 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-25352 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as CWE-79, enabling Reflected Cross-site Scripting (XSS) in the skygroup MyDecor WordPress theme. This issue affects MyDecor versions from n/a through those prior to 1.5.9. Published on 2026-03-25, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and changed scope with low impacts across confidentiality, integrity, and availability.

Remote attackers without privileges can exploit this vulnerability by crafting malicious inputs that reflect unsanitized user-supplied data in web page generation, tricking victims into interacting via phishing links or similar vectors. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially leading to session hijacking, data theft, or further site compromise, though impacts remain low per the CVSS metrics.

The Patchstack advisory recommends updating the MyDecor theme to version 1.5.9 or later, where the reflected XSS vulnerability is addressed. No other mitigations are specified in available references.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyDecor mydecor allows Reflected XSS.This issue affects MyDecor: from n/a through < 1.5.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS enables crafting malicious links (T1566.002) that execute arbitrary JavaScript (T1059.007) in the victim's browser, directly facilitating session hijacking (T1185) and data theft as described.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24535Shared CWE-79
CVE-2025-22356Shared CWE-79
CVE-2024-13625Shared CWE-79
CVE-2024-13574Shared CWE-79
CVE-2026-25461Shared CWE-79
CVE-2025-23491Shared CWE-79
CVE-2026-33136Shared CWE-79
CVE-2026-30918Shared CWE-79
CVE-2025-23464Shared CWE-79
CVE-2025-27279Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper neutralization of input during web page generation by requiring filtering of outputs to prevent reflected XSS execution.

prevent

Validates user-supplied inputs to reject or sanitize malicious JavaScript payloads that enable reflected XSS in the MyDecor theme.

prevent

Mandates timely identification and patching of flaws like this reflected XSS vulnerability by updating the MyDecor theme to version 1.5.9 or later.

References