Platform
wordpress
Component
phox-host
Fixed in
2.0.9
CVE-2026-25013 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within Phox Hosting, a WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise or data theft. The vulnerability impacts versions from 0.0.0 up to and including 2.0.8, but is resolved in version 2.0.9.
The primary impact of this Reflected XSS vulnerability lies in the attacker's ability to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal cookies, redirect users to phishing sites, or deface the website. Successful exploitation could grant an attacker access to sensitive user data, including login credentials and personal information stored within the Phox Hosting system. Given the plugin's potential integration with WHMCS, the blast radius could extend to WHMCS user accounts as well, depending on the specific configuration and data flow.
CVE-2026-25013 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation for Reflected XSS vulnerabilities means it is likely to be targeted. The EPSS score is likely medium, given the relatively straightforward nature of the attack and the potential for widespread impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade Phox Hosting to version 2.0.9 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on all user-supplied data displayed on the website. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Monitor web server access logs for suspicious URL patterns containing JavaScript code.
Update to version 2.0.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25013 is a Reflected XSS vulnerability in Phox Hosting versions 0.0.0 through 2.0.8, allowing attackers to inject malicious scripts via crafted URLs.
If you are using Phox Hosting version 2.0.8 or earlier, you are affected by this vulnerability. Upgrade to 2.0.9 or later to mitigate the risk.
The primary fix is to upgrade Phox Hosting to version 2.0.9 or later. Consider implementing input validation and output encoding as an additional security measure.
While no widespread exploitation has been confirmed, the ease of exploitation makes it a likely target. Monitor security advisories and threat intelligence feeds.
Refer to the Phox Hosting project's official website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.