Skip to main content

Debug-Bar-Extender CVE-2025-26555

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-15 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Debug-Bar-Extender allows Reflected XSS. This issue affects Debug-Bar-Extender: from n/a through 0.5.

AnalysisAI

Reflected cross-site scripting in Debug-Bar-Extender WordPress plugin versions through 0.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. This requires user interaction (victim must click a malicious link) but no authentication. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept code at time of analysis. The vulnerability affects a WordPress debugging tool typically used in development environments, reducing real-world exposure.

Technical ContextAI

Debug-Bar-Extender is a WordPress plugin that extends the Debug Bar plugin with additional debugging panels. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input is reflected in HTML output without proper sanitization or encoding. This allows attackers to inject malicious JavaScript that executes in the context of the WordPress site when victims view attacker-controlled input. The changed scope (S:C) in the CVSS vector indicates the vulnerable component can impact resources beyond its security scope, typical of XSS where attacker code runs with victim's session privileges. WordPress plugins handle GET/POST parameters and URL paths that may be reflected in administrative interfaces or debug output screens without adequate input validation.

Affected ProductsAI

WordPress Debug-Bar-Extender plugin versions from earliest available through 0.5 are confirmed vulnerable per Patchstack advisory. The plugin extends the WordPress Debug Bar functionality and is typically installed on development or staging WordPress installations. No CPE data was provided in available sources. The vendor advisory at Patchstack (https://patchstack.com/database/wordpress/plugin/debug-bar-extender/vulnerability/wordpress-debug-bar-extender-plugin-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) provides the authoritative affected version range.

RemediationAI

Upgrade Debug-Bar-Extender to a patched version newer than 0.5 when available (patch version not independently confirmed at time of analysis - consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/debug-bar-extender/ for latest release). If no patch is available, implement these compensating controls: Disable Debug-Bar-Extender entirely on production sites (recommended practice for debugging tools), restrict plugin access to trusted administrator IP addresses via .htaccess or firewall rules (reduces attack surface but doesn't prevent exploitation from compromised admin accounts), implement Content Security Policy headers to block inline JavaScript execution (may break legitimate plugin functionality and requires testing), or uninstall the plugin if not actively needed (eliminates risk but removes debugging capability). Note that debugging plugins should never be active in production environments regardless of patch status.

Share

CVE-2025-26555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy