Platform
wordpress
Component
simple-xml-sitemap
Fixed in
1.3.1
CVE-2026-22355 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the Simple XML Sitemap WordPress plugin. This allows attackers to inject malicious scripts into the plugin, potentially impacting website visitors and administrators. The vulnerability affects versions from 0.0.0 through 1.3. A fix is expected in a future release.
Successful exploitation of CVE-2026-22355 allows an attacker to inject arbitrary JavaScript code into the Simple XML Sitemap plugin. This code can then be triggered when a user visits a page containing the malicious script, leading to a cross-site scripting (XSS) attack. An attacker could steal user cookies, hijack user sessions, redirect users to malicious websites, or deface the website. The impact is particularly severe for websites with sensitive user data or administrative functionality accessible through the WordPress dashboard. The CSRF aspect means an attacker doesn't need user interaction to trigger the XSS, making it more dangerous.
CVE-2026-22355 was publicly disclosed on 2026-01-22. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The ease of exploitation is moderate, as it requires crafting a malicious request and leveraging CSRF. The impact is high due to the potential for account takeover and data theft.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22355 is to upgrade to a patched version of the Simple XML Sitemap plugin as soon as it becomes available. Until a patch is released, consider implementing a Content Security Policy (CSP) to restrict the execution of inline scripts. Additionally, implement strict input validation and output encoding within the plugin's code to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured with rules to detect and block XSS attempts can provide an additional layer of protection. Monitor WordPress logs for suspicious activity, particularly requests targeting the sitemap generation endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22355 is a Cross-Site Scripting (XSS) vulnerability in the Simple XML Sitemap WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using the Simple XML Sitemap plugin in WordPress versions 0.0.0 through 1.3. Check your plugin versions immediately.
Upgrade to a patched version of the Simple XML Sitemap plugin as soon as it's available. Until then, implement CSP and input validation.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply mitigations proactively.
Check the plugin author's website or WordPress plugin repository for updates and advisories related to CVE-2026-22355.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.