Variable Inspector CVE-2025-26914
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bowo Variable Inspector allows Reflected XSS. This issue affects Variable Inspector: from n/a through 2.6.2.
AnalysisAI
Reflected cross-site scripting in Variable Inspector WordPress plugin versions up to 2.6.2 enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. The vulnerability stems from improper neutralization of input during page generation (CWE-79). With CVSS 7.1 and scope change capability, successful exploitation allows limited data theft, session hijacking, and malicious actions under victim context. EPSS score of 0.09% (26th percentile) suggests low probability of mass exploitation. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation campaigns.
Technical ContextAI
This is a reflected cross-site scripting (XSS) vulnerability in the Variable Inspector WordPress plugin, a development and debugging tool. The flaw results from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is incorporated into HTML output without proper sanitization or encoding. In reflected XSS attacks, malicious scripts are embedded in URLs or form inputs and immediately returned in the server response. The CVSS vector indicates scope change (S:C), meaning the vulnerable component (the plugin) differs from the impacted component (victim browser/session), allowing the attack to affect resources beyond the plugin's security boundary. WordPress plugins commonly suffer XSS when processing URL parameters, search queries, or admin interface inputs without using WordPress's built-in sanitization functions like esc_html(), esc_url(), or wp_kses().
Affected ProductsAI
Variable Inspector WordPress plugin versions from initial release through 2.6.2 inclusive are confirmed vulnerable per Patchstack advisory. The plugin is developed by Bowo and available through the WordPress.org plugin repository. Installations running any version up to and including 2.6.2 should be considered at risk if exposed to potential attackers who can deliver malicious URLs to authenticated users. Patchstack provides detailed vulnerability information at their database link: https://patchstack.com/database/wordpress/plugin/variable-inspector/vulnerability/wordpress-variable-inspector-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
No vendor-released patch version identified at time of analysis-Patchstack advisory does not specify a fixed version beyond identifying 2.6.2 as vulnerable. Check WordPress.org plugin repository for Variable Inspector updates beyond version 2.6.2 or monitor Bowo's official release channels. Until a confirmed patched version is available, implement these compensating controls: (1) Remove Variable Inspector entirely from production WordPress installations-this debugging plugin should never run in live environments and its absence eliminates attack surface with no functional impact on public sites. (2) For development/staging environments requiring the plugin, restrict access via IP allowlisting at web server or firewall level to trusted developer networks only, preventing external attackers from delivering malicious URLs. Trade-off: requires maintaining IP allowlists and breaks access for remote developers without VPN. (3) Implement Content Security Policy headers with strict script-src directives to prevent inline JavaScript execution, mitigating XSS impact even if payload is reflected. Trade-off: may break legitimate plugin functionality requiring inline scripts. Advisory reference: https://patchstack.com/database/wordpress/plugin/variable-inspector/vulnerability/wordpress-variable-inspector-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today