Plattform
wordpress
Komponente
simple-xml-sitemap
Behoben in
1.3.1
CVE-2026-22355 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the Simple XML Sitemap WordPress plugin. This allows attackers to inject malicious scripts into the plugin, potentially impacting website visitors and administrators. The vulnerability affects versions from 0.0.0 through 1.3. A fix is expected in a future release.
The primary impact of CVE-2026-22355 is the ability for an attacker to inject arbitrary JavaScript code into the Simple XML Sitemap plugin's data storage. Because this is a Stored XSS vulnerability, the malicious script persists and can be triggered by any user visiting a page affected by the injected script. This could lead to session hijacking, credential theft (e.g., stealing WordPress administrator credentials), defacement of the website, or redirection to malicious sites. The attacker would need to craft a malicious request that exploits the CSRF vulnerability to inject the XSS payload, typically by tricking a legitimate user into clicking a crafted link or visiting a compromised page.
CVE-2026-22355 was publicly disclosed on 2026-01-22. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.1 (HIGH) indicates a significant risk, and the CSRF-based XSS nature makes it relatively easy to exploit, especially on sites with limited security controls. Monitor security advisories and vulnerability databases for any updates regarding exploitation attempts.
Websites using the Simple XML Sitemap plugin, particularly those with user authentication or sensitive data, are at risk. Shared WordPress hosting environments are particularly vulnerable as attackers could potentially exploit this vulnerability on multiple websites hosted on the same server. Sites using older, unmaintained versions of WordPress are also at higher risk.
• wordpress / composer / npm:
grep -r "<script" /var/www/html/wp-content/plugins/simple-xml-sitemap/• wordpress / composer / npm:
wp plugin list --status=inactive | grep simple-xml-sitemap• wordpress / composer / npm:
wp plugin list | grep simple-xml-sitemapdisclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-22355 is to immediately update the Simple XML Sitemap plugin to a version that addresses the CSRF vulnerability. If upgrading is not immediately feasible, implement CSRF protection mechanisms at the WordPress level, such as using a security plugin that adds CSRF tokens to all forms. Additionally, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to block malicious requests. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface. After upgrading, confirm the vulnerability is resolved by attempting to trigger the XSS payload and verifying that it is blocked or sanitized.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22355 is a Cross-Site Scripting (XSS) vulnerability in the Simple XML Sitemap WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using the Simple XML Sitemap plugin in WordPress versions 0.0.0 through 1.3. Check your plugin versions immediately.
Upgrade to a patched version of the Simple XML Sitemap plugin as soon as it's available. Until then, implement CSP and input validation.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply mitigations proactively.
Check the plugin author's website or WordPress plugin repository for updates and advisories related to CVE-2026-22355.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.