Skip to main content

WP Discord Post CVE-2025-26554

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-15 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Discord Post allows Reflected XSS. This issue affects WP Discord Post: from n/a through 2.1.0.

AnalysisAI

Reflected cross-site scripting (XSS) in WP Discord Post WordPress plugin versions up to 2.1.0 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. Exploitation requires victim interaction (clicking a crafted URL) but no authentication, achieving cross-site scope impact with potential session hijacking and account takeover. Reported by Patchstack's audit team with EPSS exploitation probability at 0.09% (26th percentile), indicating low observed exploitation activity. No CISA KEV listing confirms this remains a theoretical risk rather than widespread active threat.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the WP Discord Post WordPress plugin, which integrates WordPress content publishing with Discord webhooks. Reflected XSS occurs when user-supplied input is immediately returned in HTTP responses without proper sanitization, allowing attackers to inject malicious JavaScript that executes in the victim's browser context. The CVSS vector indicates changed scope (S:C), meaning the vulnerable component (WordPress plugin) operates in a different security context than the impacted component (user browser session), enabling attacks against WordPress authentication cookies and admin sessions. The CPE structure indicates this affects WordPress plugin ecosystem installations running WP Discord Post versions from initial release through 2.1.0.

Affected ProductsAI

WordPress WP Discord Post plugin versions from initial release (n/a) through 2.1.0 are affected. The vulnerability is present in all installations of these versions regardless of WordPress core version. Patchstack vulnerability database entry available at https://patchstack.com/database/wordpress/plugin/wp-discord-post/vulnerability/wordpress-wp-discord-post-plugin-2-1-0-reflectef-cross-site-scripting-xss-vulnerability provides detailed analysis. The CPE identifier would follow the pattern cpe:2.3:a:nf_team:wp_discord_post:*:*:*:*:*:wordpress:*:* with version range through 2.1.0.

RemediationAI

Upgrade WP Discord Post plugin to version 2.1.1 or later if available, checking the official WordPress plugin repository or vendor release notes for the patched version. As of analysis time, the Patchstack advisory confirms the vulnerability affects through 2.1.0, implying a fix exists in a subsequent release, though the exact patched version is not independently confirmed from available data. Administrators should review https://patchstack.com/database/wordpress/plugin/wp-discord-post/vulnerability for vendor-specific remediation guidance. If immediate patching is not feasible, implement compensating controls: restrict WP Discord Post plugin access to only trusted administrator accounts via WordPress role-based access controls, deploy web application firewall (WAF) rules to detect and block common XSS attack patterns in query parameters and POST data (noting this may cause false positives requiring tuning), and educate administrative users about the risks of clicking untrusted links while authenticated to WordPress admin panel. Consider temporarily deactivating the plugin if Discord integration is not actively required, though this eliminates intended functionality. Review WordPress access logs for suspicious GET/POST requests with JavaScript-like payloads targeting WP Discord Post endpoints to identify potential exploitation attempts.

Share

CVE-2025-26554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy