Skip to main content

IE CSS3 Support CVE-2025-26589

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:02 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound IE CSS3 Support allows Reflected XSS. This issue affects IE CSS3 Support: from n/a through 2.0.1.

AnalysisAI

Reflected cross-site scripting in IE CSS3 Support WordPress plugin through version 2.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication and can impact other site origins due to changed scope (S:C in CVSS). EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation or CISA KEV listing, indicating limited real-world targeting despite moderate CVSS 7.1 scoring.

Technical ContextAI

IE CSS3 Support is a WordPress plugin designed to provide CSS3 feature support for legacy Internet Explorer browsers through polyfills or compatibility layers. This vulnerability stems from CWE-79 (Cross-site Scripting) where user-supplied input is incorporated into web page output without proper sanitization or encoding. The reflected XSS class means malicious scripts are embedded in HTTP requests and immediately reflected back in responses, rather than stored persistently. The changed scope metric (S:C) indicates the vulnerability can affect resources beyond the plugin's security context, potentially impacting WordPress core or other plugins through DOM manipulation or session token theft.

Affected ProductsAI

WordPress IE CSS3 Support plugin versions from the initial release through version 2.0.1 are confirmed vulnerable per Patchstack vulnerability database reference. The CPE data is not provided in the intelligence, but the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ie-css3-support/ indicates all versions up to and including 2.0.1 contain the reflected XSS flaw. Organizations should verify installed versions through WordPress admin dashboard under Plugins section or by checking the plugin's main PHP file version header.

RemediationAI

Primary remediation: Verify if IE CSS3 Support plugin version 2.0.2 or later has been released addressing CVE-2025-26589 by checking the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ie-css3-support/. If no patched version exists, immediately deactivate and uninstall the plugin, as modern browsers (Chrome, Firefox, Edge, Safari) natively support CSS3 without polyfills, and Internet Explorer reached end-of-life in June 2022. Workaround if plugin must remain active: implement Web Application Firewall (WAF) rules to inspect and sanitize query parameters and POST data targeting the plugin's endpoints, though this adds latency and may break legitimate functionality. For WordPress administrators using security plugins like Wordfence or Sucuri, enable virtual patching rules for XSS if available, understanding these are detection-based mitigations that may produce false positives and require tuning.

Share

CVE-2025-26589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy