Skip to main content

TTT Crop CVE-2025-26588

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:03 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound TTT Crop allows Reflected XSS. This issue affects TTT Crop: from n/a through 1.0.

AnalysisAI

Reflected cross-site scripting (XSS) in the WordPress TTT Crop plugin versions up to 1.0 enables remote attackers to inject malicious JavaScript into victim browsers via crafted URLs. With a CVSS score of 7.1 and changed scope, successful exploitation allows attackers to steal session tokens, perform actions as the victim, or deliver phishing content within the WordPress admin context. EPSS exploitation probability is low at 0.09% (26th percentile), and no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from improper neutralization of user-supplied input during web page generation (CWE-79: Cross-site Scripting). TTT Crop is a WordPress image cropping plugin that fails to adequately sanitize or encode parameters before reflecting them in HTML output. The CVSS vector's changed scope (S:C) indicates the vulnerability can affect resources beyond the plugin's security boundary - in WordPress terms, this means XSS payloads can interact with the broader WordPress admin session, cookies, and same-origin resources. Reflected XSS occurs when untrusted data from HTTP requests (query parameters, POST data, headers) is immediately echoed into the response without proper encoding, allowing attackers to inject <script> tags or event handlers that execute in victims' browsers.

Affected ProductsAI

The vulnerability affects the TTT Crop WordPress plugin in all versions from initial release through version 1.0. According to Patchstack database entries (references provided), version 1.0 is confirmed vulnerable. The plugin is distributed through the WordPress.org plugin repository and is installed on WordPress sites running PHP-based installations. No specific WordPress core version requirements are documented, but standard WordPress plugin security context applies.

RemediationAI

Patchstack has documented this vulnerability in their database at https://patchstack.com/database/wordpress/plugin/ttt-crop/vulnerability/wordpress-ttt-crop-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability, but no patched version beyond 1.0 has been confirmed from available data. Site administrators should check for plugin updates through the WordPress admin dashboard and apply any available patches immediately. If no update exists, consider deactivating and removing TTT Crop until a fix is released, then evaluate alternative image cropping plugins with active security maintenance. As a temporary compensating control, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules to limit the attack surface for reflected XSS - this reduces the pool of potential victims but does not prevent exploitation if an authorized admin clicks a malicious link. Implement Content Security Policy headers with script-src 'self' to block inline script execution, though this may impact WordPress functionality and requires testing. Monitor WordPress admin access logs for unusual parameter patterns in requests to TTT Crop endpoints.

Share

CVE-2025-26588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy