sidebarTabs WordPress Plugin CVE-2025-26587
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound sidebarTabs allows Reflected XSS. This issue affects sidebarTabs: from n/a through 3.1.
AnalysisAI
Reflected cross-site scripting (XSS) in sidebarTabs WordPress plugin versions ≤3.1 enables remote attackers to inject malicious scripts via crafted URLs that execute in victim browsers when user interaction occurs. Reported by Patchstack security research (audit@patchstack.com), this vulnerability exploits improper input neutralization during page generation. EPSS score of 0.09% (26th percentile) suggests low widespread exploitation probability, with no CISA KEV listing or public POC identified at time of analysis, indicating limited active exploitation despite moderate CVSS severity.
Technical ContextAI
This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where the sidebarTabs WordPress plugin fails to properly sanitize user-supplied input before rendering it in HTML responses. WordPress plugins often accept parameters through GET/POST requests or URL paths; when these inputs are reflected back into the page without encoding HTML special characters (such as <, >, ", '), attackers can inject JavaScript payloads. The CVSS vector indicates network-accessible exploitation (AV:N) with low complexity (AC:L), meaning no special access conditions or timing requirements are needed beyond tricking a user into clicking a malicious link. The changed scope (S:C) indicates the malicious script executes in the victim's browser context, potentially accessing cookies, session tokens, or performing actions on behalf of the authenticated user across the WordPress site's security boundary.
Affected ProductsAI
This vulnerability affects the sidebarTabs WordPress plugin developed by NotFound, specifically all versions from the earliest release through version 3.1 inclusive. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sidebartabs/vulnerability/wordpress-sidebartabs-plugin-3-1-reflected-cross-site-scripting-xss-vulnerability confirms version 3.1 as the last known vulnerable release. Organizations using any version of sidebarTabs ≤3.1 in their WordPress installations should consider themselves affected. The vulnerability exists in the plugin's web page generation logic regardless of specific WordPress core version, though exploitation requires the plugin to be active.
RemediationAI
Immediately update sidebarTabs to a patched version if available by checking the WordPress plugin repository or contacting the vendor NotFound directly. As of this analysis, no specific patched version number has been independently confirmed in the provided data sources-verify current version status at https://wordpress.org/plugins/sidebartabs/ or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sidebartabs/vulnerability/wordpress-sidebartabs-plugin-3-1-reflected-cross-site-scripting-xss-vulnerability. If no patch exists, implement compensating controls: deploy a Web Application Firewall (WAF) with XSS detection rules to filter malicious parameters (trade-off: may cause false positives requiring tuning); disable the sidebarTabs plugin entirely if not business-critical (trade-off: loss of sidebar functionality); or restrict plugin access to trusted administrative users only via WordPress role permissions (trade-off: limits legitimate use cases). Configure Content-Security-Policy headers to restrict inline script execution (trade-off: may break legitimate plugin JavaScript). Monitor web server logs for suspicious URL patterns containing script tags or JavaScript event handlers in query parameters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today