Skip to main content

Remoji CVE-2026-25452

| EUVDEUVD-2026-15730 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-8gj9-mjf2-56qh
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15730
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDO Remoji remoji allows Stored XSS.This issue affects Remoji: from n/a through <= 2.2.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the WPDO Remoji WordPress plugin through version 2.2, allowing attackers to inject malicious JavaScript code that persists in the database and executes in the browsers of site visitors. This vulnerability affects all installations of Remoji up to and including version 2.2, enabling authenticated or unauthenticated attackers (depending on plugin configuration) to compromise website visitors' sessions, steal credentials, or redirect users to malicious sites. While CVSS and EPSS scores are not publicly available, the vulnerability's classification as Stored XSS and reporting through Patchstack indicate moderate-to-high real-world severity.

Technical ContextAI

The vulnerability stems from improper neutralization of user-controlled input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The WPDO Remoji plugin (CPE: cpe:2.3:a:wpdo:remoji:*:*:*:*:*:*:*:*) fails to adequately sanitize or escape user-supplied data before storing it in the WordPress database or rendering it in HTML output. Stored XSS differs from Reflected XSS in that the malicious payload is persisted server-side, making it execute every time the affected page or content is loaded, rather than requiring a crafted URL. WordPress plugins are server-side extensions that process user input through various functions—such as shortcodes, AJAX handlers, and post meta fields—and this plugin likely fails to use WordPress security functions like sanitize_text_field(), wp_kses_post(), or esc_html() at input validation or output encoding stages.

RemediationAI

Immediately update the WPDO Remoji plugin to the latest available version beyond 2.2 if a patch has been released; verify patch availability on Patchstack and the WordPress.org plugin repository. If no patch is available, disable the Remoji plugin until remediation is deployed. For WordPress administrators unable to patch immediately, implement Content Security Policy (CSP) headers with script-src restrictions to limit XSS execution scope, and ensure all user input validation uses WordPress security functions such as sanitize_text_field() and wp_kses_post(). Additionally, enforce strong authentication for any administrative plugin functionality, restrict plugin file uploads or settings modification to trusted administrators only, and implement regular security scanning of stored post meta and custom fields for signs of XSS payload injection. Monitor Patchstack at https://patchstack.com/database/Wordpress/Plugin/remoji/vulnerability/wordpress-remoji-plugin-2-2-cross-site-scripting-xss-vulnerability for patch release notifications.

Share

CVE-2026-25452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy