Skip to main content

Variable Inspector CVE-2025-26914

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:02 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bowo Variable Inspector allows Reflected XSS. This issue affects Variable Inspector: from n/a through 2.6.2.

AnalysisAI

Reflected cross-site scripting in Variable Inspector WordPress plugin versions up to 2.6.2 enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. The vulnerability stems from improper neutralization of input during page generation (CWE-79). With CVSS 7.1 and scope change capability, successful exploitation allows limited data theft, session hijacking, and malicious actions under victim context. EPSS score of 0.09% (26th percentile) suggests low probability of mass exploitation. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation campaigns.

Technical ContextAI

This is a reflected cross-site scripting (XSS) vulnerability in the Variable Inspector WordPress plugin, a development and debugging tool. The flaw results from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is incorporated into HTML output without proper sanitization or encoding. In reflected XSS attacks, malicious scripts are embedded in URLs or form inputs and immediately returned in the server response. The CVSS vector indicates scope change (S:C), meaning the vulnerable component (the plugin) differs from the impacted component (victim browser/session), allowing the attack to affect resources beyond the plugin's security boundary. WordPress plugins commonly suffer XSS when processing URL parameters, search queries, or admin interface inputs without using WordPress's built-in sanitization functions like esc_html(), esc_url(), or wp_kses().

Affected ProductsAI

Variable Inspector WordPress plugin versions from initial release through 2.6.2 inclusive are confirmed vulnerable per Patchstack advisory. The plugin is developed by Bowo and available through the WordPress.org plugin repository. Installations running any version up to and including 2.6.2 should be considered at risk if exposed to potential attackers who can deliver malicious URLs to authenticated users. Patchstack provides detailed vulnerability information at their database link: https://patchstack.com/database/wordpress/plugin/variable-inspector/vulnerability/wordpress-variable-inspector-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

No vendor-released patch version identified at time of analysis-Patchstack advisory does not specify a fixed version beyond identifying 2.6.2 as vulnerable. Check WordPress.org plugin repository for Variable Inspector updates beyond version 2.6.2 or monitor Bowo's official release channels. Until a confirmed patched version is available, implement these compensating controls: (1) Remove Variable Inspector entirely from production WordPress installations-this debugging plugin should never run in live environments and its absence eliminates attack surface with no functional impact on public sites. (2) For development/staging environments requiring the plugin, restrict access via IP allowlisting at web server or firewall level to trusted developer networks only, preventing external attackers from delivering malicious URLs. Trade-off: requires maintaining IP allowlists and breaks access for remote developers without VPN. (3) Implement Content Security Policy headers with strict script-src directives to prevent inline JavaScript execution, mitigating XSS impact even if payload is reflected. Trade-off: may break legitimate plugin functionality requiring inline scripts. Advisory reference: https://patchstack.com/database/wordpress/plugin/variable-inspector/vulnerability/wordpress-variable-inspector-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-26914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy