Skip to main content

Small Package Quotes - Unishippers Edition CVE-2025-26918

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 25, 2026 - 01:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Small Package Quotes - Unishippers Edition allows Reflected XSS. This issue affects Small Package Quotes - Unishippers Edition: from n/a through 2.4.9.

AnalysisAI

Reflected cross-site scripting (XSS) in the Small Package Quotes - Unishippers Edition WordPress plugin through version 2.4.9 allows remote attackers to inject malicious scripts that execute in victims' browsers when users click crafted links. The CVSS vector indicates network-based exploitation requiring user interaction but no authentication, with changed scope enabling attacks beyond the vulnerable component's security context. EPSS score of 0.08% (25th percentile) suggests low observed exploitation activity, though no public exploit code or CISA KEV listing exists at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in a WordPress plugin for shipping rate calculation. The affected product (cpe:2.3:a:eniture:small_package_quotes:*:*:*:*:unishippers:wordpress) fails to properly sanitize user-supplied input before reflecting it in HTTP responses, allowing JavaScript injection. Reflected XSS occurs when attacker-controlled data is immediately echoed back in web responses without encoding, enabling script execution when victims interact with malicious URLs. Unlike stored XSS, reflected variants require social engineering to deliver the payload, typically through phishing emails or compromised websites. WordPress plugins frequently suffer from XSS due to inadequate input validation in admin interfaces, shipping calculators, or form handlers where user parameters are processed and displayed.

RemediationAI

Upgrade Small Package Quotes - Unishippers Edition to a version newer than 2.4.9 once available from the WordPress plugin repository or vendor directly. Check the plugin's changelog at https://wordpress.org/plugins/small-package-quotes-unishippers-edition/ or contact Eniture Technology for patched releases addressing CVE-2025-26918. Until a patch is deployed, implement compensating controls: disable the plugin if shipping rate functionality is not actively required (eliminates attack surface entirely but breaks shipping calculations); restrict WordPress admin access to trusted IP ranges via .htaccess or firewall rules (reduces phishing success by limiting who can interact with vulnerable endpoints, though this may impact legitimate remote administrators); deploy Web Application Firewall (WAF) rules to block common XSS patterns in HTTP parameters targeting this plugin (may cause false positives on legitimate quote requests containing special characters); educate administrative users about phishing risks and instruct them to verify URL authenticity before clicking links in unsolicited emails (reduces UI:R attack vector success but relies on human vigilance). Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/small-package-quotes-unishippers-edition/vulnerability/wordpress-small-package-quotes-unishippers-edition-plugin-2-4-9-reflected-cross-site-scripting-xss-vulnerability for specific technical details and potential hotfixes.

Share

CVE-2025-26918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy