Platform
wordpress
Component
miti
Fixed in
1.5.4
CVE-2026-25350 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in skygroup Miti, a WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions from 0.0.0 up to and including 1.5.3, and a patch is available in version 1.5.3.
An attacker exploiting this Reflected XSS vulnerability can inject arbitrary JavaScript code into the Miti plugin's output. This code executes within the context of the victim's browser, allowing the attacker to steal cookies, session tokens, or redirect the user to a malicious website. Successful exploitation could lead to complete account takeover, defacement of the website, or the distribution of malware. The impact is particularly severe if the Miti plugin is used to handle sensitive user data or if the website has a large user base. While no specific real-world exploitation has been publicly reported, the ease of exploitation makes this a significant risk.
CVE-2026-25350 was publicly disclosed on 2026-03-25. There is currently no indication of active exploitation campaigns targeting this vulnerability. No Proof-of-Concept (PoC) code has been publicly released, but the nature of Reflected XSS makes it relatively straightforward to exploit. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25350 is to immediately upgrade the Miti plugin to version 1.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns associated with JavaScript injection attempts, such as <script> tags or event handlers. Input validation and output encoding within the Miti plugin itself would also provide an additional layer of defense, though this requires code modification. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., alert('XSS')) through a vulnerable endpoint and confirming that it is blocked.
Update to version 1.5.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25350 is a Reflected XSS vulnerability in the skygroup Miti WordPress plugin, allowing attackers to inject malicious scripts. It affects versions 0.0.0 through 1.5.3 and poses a significant security risk.
You are affected if you are using skygroup Miti version 0.0.0 through 1.5.3. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the skygroup Miti plugin to version 1.5.3 or later. Consider implementing a WAF rule as a temporary mitigation if upgrading is not immediately possible.
There is currently no public evidence of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the skygroup website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2026-25350.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.