TTT Crop CVE-2025-26588
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound TTT Crop allows Reflected XSS. This issue affects TTT Crop: from n/a through 1.0.
AnalysisAI
Reflected cross-site scripting (XSS) in the WordPress TTT Crop plugin versions up to 1.0 enables remote attackers to inject malicious JavaScript into victim browsers via crafted URLs. With a CVSS score of 7.1 and changed scope, successful exploitation allows attackers to steal session tokens, perform actions as the victim, or deliver phishing content within the WordPress admin context. EPSS exploitation probability is low at 0.09% (26th percentile), and no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
This vulnerability stems from improper neutralization of user-supplied input during web page generation (CWE-79: Cross-site Scripting). TTT Crop is a WordPress image cropping plugin that fails to adequately sanitize or encode parameters before reflecting them in HTML output. The CVSS vector's changed scope (S:C) indicates the vulnerability can affect resources beyond the plugin's security boundary - in WordPress terms, this means XSS payloads can interact with the broader WordPress admin session, cookies, and same-origin resources. Reflected XSS occurs when untrusted data from HTTP requests (query parameters, POST data, headers) is immediately echoed into the response without proper encoding, allowing attackers to inject <script> tags or event handlers that execute in victims' browsers.
Affected ProductsAI
The vulnerability affects the TTT Crop WordPress plugin in all versions from initial release through version 1.0. According to Patchstack database entries (references provided), version 1.0 is confirmed vulnerable. The plugin is distributed through the WordPress.org plugin repository and is installed on WordPress sites running PHP-based installations. No specific WordPress core version requirements are documented, but standard WordPress plugin security context applies.
RemediationAI
Patchstack has documented this vulnerability in their database at https://patchstack.com/database/wordpress/plugin/ttt-crop/vulnerability/wordpress-ttt-crop-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability, but no patched version beyond 1.0 has been confirmed from available data. Site administrators should check for plugin updates through the WordPress admin dashboard and apply any available patches immediately. If no update exists, consider deactivating and removing TTT Crop until a fix is released, then evaluate alternative image cropping plugins with active security maintenance. As a temporary compensating control, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules to limit the attack surface for reflected XSS - this reduces the pool of potential victims but does not prevent exploitation if an authorized admin clicks a malicious link. Implement Content Security Policy headers with script-src 'self' to block inline script execution, though this may impact WordPress functionality and requires testing. Monitor WordPress admin access logs for unusual parameter patterns in requests to TTT Crop endpoints.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today