Plattform
wordpress
Komponente
jaroti
Behoben in
1.4.9
CVE-2026-25304 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the Jaroti WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of Jaroti from 0.0.0 through 1.4.8, and a patch is available in version 1.4.8.
An attacker exploiting this Reflected XSS vulnerability can inject arbitrary JavaScript code into a user's browser when they visit a specially crafted URL. This malicious script can then perform actions on behalf of the user, such as stealing cookies containing session tokens, redirecting the user to a phishing site, or modifying the content of the page. The potential impact is significant, as successful exploitation could lead to complete account takeover and unauthorized access to sensitive data. The blast radius extends to all users who interact with the affected plugin, particularly those who click on malicious links.
CVE-2026-25304 was publicly disclosed on 2026-03-25. No public proof-of-concept (POC) code has been identified at the time of writing, but the vulnerability's nature makes it likely that a POC will emerge. The EPSS score is currently pending evaluation, but the ease of exploitation associated with Reflected XSS suggests a potential for medium-level exploitation probability. This vulnerability is not currently listed on the CISA KEV catalog.
Websites using the Jaroti plugin, particularly those with user-facing forms or features that accept user input without proper sanitization, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "<script>" /var/www/wordpress/wp-content/plugins/jaroti/• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list --status=active | grep jaroti• wordpress / composer / npm:
wp plugin update jarotidisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25304 is to immediately upgrade the Jaroti WordPress plugin to version 1.4.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include input validation and output encoding on user-supplied data within the plugin, as well as employing a Web Application Firewall (WAF) to filter out malicious requests containing XSS payloads. Monitor web server access logs for suspicious URL patterns containing JavaScript code. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via a URL parameter and verifying that it is properly sanitized.
Update to version 1.4.8, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25304 is a Reflected XSS vulnerability in the Jaroti WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs. It affects versions 0.0.0–1.4.8 and has a CVSS score of 7.1 (HIGH).
If you are using the Jaroti WordPress plugin in versions 0.0.0 through 1.4.8, you are potentially affected by this vulnerability. Check your plugin version and upgrade immediately if necessary.
The recommended fix is to upgrade the Jaroti WordPress plugin to version 1.4.8 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and a WAF.
While no active exploitation has been confirmed, the ease of exploitation associated with Reflected XSS suggests a potential for exploitation. Monitor your systems for suspicious activity.
Refer to the official Jaroti plugin documentation and WordPress.org plugin page for updates and advisories related to CVE-2026-25304.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.