Small Package Quotes - Unishippers Edition CVE-2025-26918
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Small Package Quotes - Unishippers Edition allows Reflected XSS. This issue affects Small Package Quotes - Unishippers Edition: from n/a through 2.4.9.
AnalysisAI
Reflected cross-site scripting (XSS) in the Small Package Quotes - Unishippers Edition WordPress plugin through version 2.4.9 allows remote attackers to inject malicious scripts that execute in victims' browsers when users click crafted links. The CVSS vector indicates network-based exploitation requiring user interaction but no authentication, with changed scope enabling attacks beyond the vulnerable component's security context. EPSS score of 0.08% (25th percentile) suggests low observed exploitation activity, though no public exploit code or CISA KEV listing exists at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in a WordPress plugin for shipping rate calculation. The affected product (cpe:2.3:a:eniture:small_package_quotes:*:*:*:*:unishippers:wordpress) fails to properly sanitize user-supplied input before reflecting it in HTTP responses, allowing JavaScript injection. Reflected XSS occurs when attacker-controlled data is immediately echoed back in web responses without encoding, enabling script execution when victims interact with malicious URLs. Unlike stored XSS, reflected variants require social engineering to deliver the payload, typically through phishing emails or compromised websites. WordPress plugins frequently suffer from XSS due to inadequate input validation in admin interfaces, shipping calculators, or form handlers where user parameters are processed and displayed.
RemediationAI
Upgrade Small Package Quotes - Unishippers Edition to a version newer than 2.4.9 once available from the WordPress plugin repository or vendor directly. Check the plugin's changelog at https://wordpress.org/plugins/small-package-quotes-unishippers-edition/ or contact Eniture Technology for patched releases addressing CVE-2025-26918. Until a patch is deployed, implement compensating controls: disable the plugin if shipping rate functionality is not actively required (eliminates attack surface entirely but breaks shipping calculations); restrict WordPress admin access to trusted IP ranges via .htaccess or firewall rules (reduces phishing success by limiting who can interact with vulnerable endpoints, though this may impact legitimate remote administrators); deploy Web Application Firewall (WAF) rules to block common XSS patterns in HTTP parameters targeting this plugin (may cause false positives on legitimate quote requests containing special characters); educate administrative users about phishing risks and instruct them to verify URL authenticity before clicking links in unsolicited emails (reduces UI:R attack vector success but relies on human vigilance). Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/small-package-quotes-unishippers-edition/vulnerability/wordpress-small-package-quotes-unishippers-edition-plugin-2-4-9-reflected-cross-site-scripting-xss-vulnerability for specific technical details and potential hotfixes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today