Skip to main content

ViperBar WordPress Plugin CVE-2025-26557

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:07 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ViperBar allows Reflected XSS. This issue affects ViperBar: from n/a through 2.0.

AnalysisAI

Reflected cross-site scripting (XSS) in ViperBar WordPress plugin versions up to 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack security researchers, this network-exploitable vulnerability has a low EPSS score (0.09%, 26th percentile) indicating minimal observed exploitation activity. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component, enabling session hijacking or privilege escalation within WordPress installations.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the ViperBar WordPress plugin, a notification bar component. The flaw stems from improper neutralization of user-supplied input during HTML page generation. When the plugin processes URL parameters or form inputs without adequate sanitization or output encoding, an attacker can inject malicious JavaScript that executes in the security context of the WordPress site. The changed scope (S:C) rating suggests the JavaScript can interact with WordPress cookies, session tokens, or other origin-bound resources, extending impact beyond the plugin itself. Reflected XSS requires delivering a crafted URL to victims, typically through phishing emails or malicious links embedded in external sites.

Affected ProductsAI

NotFound ViperBar WordPress plugin versions from earliest release through version 2.0 are confirmed vulnerable per Patchstack database. The vulnerability affects all WordPress installations running these plugin versions regardless of WordPress core version. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/viperbar/vulnerability/wordpress-viperbar-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability provides detailed identification guidance for affected deployments.

RemediationAI

Update ViperBar to version 2.1 or later if available, verifying patch status at https://patchstack.com/database/wordpress/plugin/viperbar/vulnerability/wordpress-viperbar-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability. If no patched version exists or immediate update is infeasible, implement compensating controls: disable the ViperBar plugin entirely until patched (eliminates attack surface but removes notification bar functionality), configure Web Application Firewall (WAF) rules to sanitize URL parameters targeting ViperBar endpoints (may cause false positives requiring tuning), or restrict ViperBar usage to authenticated administrator contexts only via WordPress role restrictions (reduces victim pool but doesn't eliminate risk for admin users). Deploy Content Security Policy (CSP) headers with strict script-src directives to limit XSS impact (may break legitimate inline scripts requiring code refactoring). Review WordPress access logs for suspicious URL patterns containing JavaScript payloads in ViperBar-related parameters to identify potential exploitation attempts.

Share

CVE-2025-26557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy