DL Leadback CVE-2025-26585
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DL Leadback allows Reflected XSS. This issue affects DL Leadback: from n/a through 1.2.1.
AnalysisAI
Reflected cross-site scripting in DL Leadback WordPress plugin versions up to 1.2.1 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability permits theft of session cookies, credential harvesting, or defacement of WordPress admin interfaces. EPSS score of 0.09% (26th percentile) suggests low observed exploitation activity, and no active exploitation is confirmed via CISA KEV. Patchstack documented this XSS flaw affecting all installations through version 1.2.1.
Technical ContextAI
DL Leadback is a WordPress plugin for tracking lead sources and referrer information. The CWE-79 (Cross-site Scripting) flaw stems from improper neutralization of user-supplied input before rendering it in HTML output - the plugin fails to sanitize or encode attacker-controlled data (likely URL parameters or form inputs) before reflecting them back in web pages. WordPress plugins commonly introduce XSS when handling $_GET or $_REQUEST variables without using WordPress escaping functions like esc_html(), esc_url(), or wp_kses(). The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, typical when XSS executes in authenticated admin contexts with cross-domain implications.
Affected ProductsAI
DL Leadback WordPress plugin versions from initial release through 1.2.1 are confirmed vulnerable per Patchstack research. All WordPress sites with DL Leadback installed in versions ≤1.2.1 are affected regardless of WordPress core version. No CPE identifier was provided in NVD data. Vendor advisory available at https://patchstack.com/database/wordpress/plugin/dl-leadback/vulnerability/wordpress-dl-leadback-plugin-1-2-1-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
Upgrade DL Leadback plugin to version 1.2.2 or later if available, per standard WordPress plugin update procedures (Dashboard → Plugins → Update). Verify patch availability at the official WordPress plugin repository or contact plugin author NotFound directly. If patched version is not yet released, implement compensating controls: disable the DL Leadback plugin entirely via WordPress admin panel until patch is available; configure WordPress Web Application Firewall (WAF) rules to block common XSS payloads in query parameters (trade-off: may cause false positives for legitimate special characters in URLs); restrict WordPress admin access to trusted IP ranges via .htaccess or hosting provider firewall (reduces attack surface but limits remote administration). Review WordPress access logs for suspicious query parameters containing script tags, event handlers, or JavaScript protocol handlers to detect exploitation attempts. Patchstack advisory: https://patchstack.com/database/wordpress/plugin/dl-leadback/vulnerability/wordpress-dl-leadback-plugin-1-2-1-reflected-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today