Random Image Selector CVE-2025-26548
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Random Image Selector allows Reflected XSS. This issue affects Random Image Selector: from n/a through 2.4.
AnalysisAI
Reflected cross-site scripting (XSS) in Random Image Selector WordPress plugin versions through 2.4 allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling attacks via phishing or social engineering. EPSS score of 0.09% (26th percentile) indicates low exploitation probability. No public exploit identified at time of analysis, and vulnerability is not present in CISA KEV, suggesting limited real-world targeting despite medium-high CVSS 7.1.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the Random Image Selector WordPress plugin, which typically displays random images from a specified directory or media library. The flaw stems from improper neutralization of user-supplied input before rendering it in HTML responses. The plugin fails to sanitize or escape parameters reflected in web pages, allowing attackers to inject malicious JavaScript that executes in the security context of the vulnerable WordPress site. Reflected XSS differs from stored XSS in that the malicious payload is not persisted server-side but instead delivered via crafted URLs. The vulnerability affects all versions from the initial release through version 2.4, indicating a long-standing input validation issue in the codebase.
Affected ProductsAI
Random Image Selector WordPress plugin versions from initial release (n/a) through version 2.4 are vulnerable. The Patchstack advisory references version 1.5.6 specifically, but NVD data confirms all versions up to and including 2.4 are affected. This is a third-party WordPress plugin developed by NotFound (developer name per vulnerability report). Sites running Random Image Selector should verify their installed version via WordPress admin dashboard under Plugins. Patchstack database entries available at https://patchstack.com/database/wordpress/plugin/random-image-selector/vulnerability/wordpress-random-image-selector-plugin-1-5-6-reflected-cross-site-scripting-vulnerability provide additional technical details.
RemediationAI
Upgrade Random Image Selector plugin to a patched version greater than 2.4 if available via the WordPress plugin repository or vendor site. Check the official WordPress plugin directory and Patchstack advisory at https://patchstack.com/database/wordpress/plugin/random-image-selector/vulnerability for confirmed fix version and update instructions. If no patched version exists, immediately disable and remove the Random Image Selector plugin from WordPress installations until a security update is released. As compensating controls, implement Content Security Policy (CSP) headers restricting script-src to 'self' to limit XSS impact, though this may break inline JavaScript used by other plugins. Deploy a Web Application Firewall (WAF) with XSS pattern detection to filter malicious parameters, accepting that sophisticated payloads may bypass signature-based detection. Educate WordPress administrators and content editors about phishing risks and avoiding suspicious links targeting the site's domain. Note that CSP and WAF are defense-in-depth measures that reduce but do not eliminate risk - plugin upgrade or removal is the definitive fix.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today