Skip to main content

WP AntiDDOS CVE-2025-26556

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-15 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 25, 2026 - 00:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 25, 2026 - 00:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zzmaster WP AntiDDOS allows Reflected XSS. This issue affects WP AntiDDOS: from n/a through 2.0.

AnalysisAI

Reflected cross-site scripting (XSS) in WP AntiDDOS WordPress plugin versions through 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack with CVSS 7.1 due to changed scope, though EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability. No active exploitation confirmed via CISA KEV and no public proof-of-concept identified at time of analysis.

Technical ContextAI

This vulnerability stems from improper input sanitization in the WP AntiDDOS WordPress plugin, a security plugin designed to protect WordPress sites from distributed denial-of-service attacks. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied data is reflected in HTTP responses without adequate HTML encoding or JavaScript escaping. The WordPress plugin architecture allows extensions to process GET/POST parameters and generate dynamic content, and WP AntiDDOS versions through 2.0 fail to sanitize at least one input vector before rendering it in HTML contexts. This enables attackers to inject malicious scripts that execute when victims interact with specially crafted links, typically targeting WordPress site administrators or authenticated users with elevated privileges.

Affected ProductsAI

WP AntiDDOS WordPress plugin versions from earliest release through version 2.0 are confirmed vulnerable per Patchstack advisory. The plugin is developed by zzmaster and distributed through the WordPress plugin repository. All WordPress installations running WP AntiDDOS 2.0 or earlier are affected regardless of WordPress core version. Specific version ranges or CPE identifiers beyond 'through 2.0' were not provided in available intelligence. Patchstack database entry serves as the authoritative vendor advisory at https://patchstack.com/database/wordpress/plugin/wpantiddos/vulnerability/wordpress-wp-antiddos-plugin-2-0-cross-site-scripting-xss-vulnerability.

RemediationAI

Immediate action is to check WordPress plugin inventory for WP AntiDDOS versions 2.0 or earlier and remove or update the plugin. Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpantiddos/vulnerability/wordpress-wp-antiddos-plugin-2-0-cross-site-scripting-xss-vulnerability should be consulted for patch availability, though no specific patched version number is confirmed in available data at time of analysis. If the plugin is not actively used for DDoS protection, complete removal eliminates risk. If continued use is required and no patch is available, implement compensating controls: restrict WordPress admin panel access to trusted IP ranges via .htaccess or firewall rules, deploy Content Security Policy headers with strict script-src directives to prevent inline JavaScript execution, enable HttpOnly and Secure flags on session cookies to limit XSS impact, and train administrators to verify URL legitimacy before clicking links in emails or external messages. Monitor WordPress access logs for suspicious query parameters targeting the plugin's endpoints. These mitigations reduce but do not eliminate XSS risk, with CSP potentially breaking legitimate plugin functionality requiring testing in staging environments first.

Share

CVE-2025-26556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy