Plattform
wordpress
Komponente
remoji
Behoben in
2.2.1
CVE-2026-25452 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Remoji WordPress plugin. This flaw allows attackers to inject malicious scripts that are stored on the server and executed when other users access affected pages. The vulnerability impacts versions of Remoji from 0.0.0 through 2.2 and can lead to account compromise and data theft. A fix is available in version 2.2.1.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data like cookies and authentication tokens. The stored nature of the vulnerability means that the malicious script persists until removed, potentially affecting numerous users over time. The impact is amplified if the website handles sensitive information or is used for critical business operations.
CVE-2026-25452 was publicly disclosed on 2026-03-25. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. The HIGH CVSS score indicates a significant risk, and the stored nature of the XSS makes it a persistent threat if left unaddressed.
Websites using the Remoji plugin, particularly those with user-generated content or forms where user input is not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromised website could potentially be used to attack other websites on the same server.
• wordpress / composer / npm:
grep -r "<script>" /var/www/html/wp-content/plugins/remoji/*• wordpress / composer / npm:
wp plugin list | grep remoji• wordpress / composer / npm:
wp plugin update remoji --version=2.2.1disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25452 is to immediately upgrade the Remoji plugin to version 2.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious script injections. Specifically, look for patterns associated with JavaScript injection attempts. Regularly scan the WordPress database for suspicious scripts or code that may have been injected prior to patching. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through a vulnerable input field and confirming that it is not executed.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25452 is a Stored XSS vulnerability in the Remoji WordPress plugin, allowing attackers to inject malicious scripts that are stored and executed by other users.
You are affected if you are using Remoji versions 0.0.0 through 2.2. Check your plugin versions and update immediately.
Update the Remoji plugin to version 2.2.1 or later. If upgrading is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation will occur.
Refer to the Remoji plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.