Skip to main content

Random Image Selector CVE-2025-26548

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-15 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Random Image Selector allows Reflected XSS. This issue affects Random Image Selector: from n/a through 2.4.

AnalysisAI

Reflected cross-site scripting (XSS) in Random Image Selector WordPress plugin versions through 2.4 allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling attacks via phishing or social engineering. EPSS score of 0.09% (26th percentile) indicates low exploitation probability. No public exploit identified at time of analysis, and vulnerability is not present in CISA KEV, suggesting limited real-world targeting despite medium-high CVSS 7.1.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the Random Image Selector WordPress plugin, which typically displays random images from a specified directory or media library. The flaw stems from improper neutralization of user-supplied input before rendering it in HTML responses. The plugin fails to sanitize or escape parameters reflected in web pages, allowing attackers to inject malicious JavaScript that executes in the security context of the vulnerable WordPress site. Reflected XSS differs from stored XSS in that the malicious payload is not persisted server-side but instead delivered via crafted URLs. The vulnerability affects all versions from the initial release through version 2.4, indicating a long-standing input validation issue in the codebase.

Affected ProductsAI

Random Image Selector WordPress plugin versions from initial release (n/a) through version 2.4 are vulnerable. The Patchstack advisory references version 1.5.6 specifically, but NVD data confirms all versions up to and including 2.4 are affected. This is a third-party WordPress plugin developed by NotFound (developer name per vulnerability report). Sites running Random Image Selector should verify their installed version via WordPress admin dashboard under Plugins. Patchstack database entries available at https://patchstack.com/database/wordpress/plugin/random-image-selector/vulnerability/wordpress-random-image-selector-plugin-1-5-6-reflected-cross-site-scripting-vulnerability provide additional technical details.

RemediationAI

Upgrade Random Image Selector plugin to a patched version greater than 2.4 if available via the WordPress plugin repository or vendor site. Check the official WordPress plugin directory and Patchstack advisory at https://patchstack.com/database/wordpress/plugin/random-image-selector/vulnerability for confirmed fix version and update instructions. If no patched version exists, immediately disable and remove the Random Image Selector plugin from WordPress installations until a security update is released. As compensating controls, implement Content Security Policy (CSP) headers restricting script-src to 'self' to limit XSS impact, though this may break inline JavaScript used by other plugins. Deploy a Web Application Firewall (WAF) with XSS pattern detection to filter malicious parameters, accepting that sophisticated payloads may bypass signature-based detection. Educate WordPress administrators and content editors about phishing risks and avoiding suspicious links targeting the site's domain. Note that CSP and WAF are defense-in-depth measures that reduce but do not eliminate risk - plugin upgrade or removal is the definitive fix.

Share

CVE-2025-26548 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy