Platform
wordpress
Component
remoji
Fixed in
2.2.1
CVE-2026-25452 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Remoji WordPress plugin. This flaw allows attackers to inject malicious scripts that are stored on the server and executed when other users access affected pages. The vulnerability impacts versions of Remoji from 0.0.0 through 2.2 and can lead to account compromise and data theft. A fix is available in version 2.2.1.
The Stored XSS vulnerability in Remoji allows an attacker to inject arbitrary JavaScript code into the plugin's data storage. When a user views a page containing the injected script, the script executes in their browser context, allowing the attacker to steal cookies, redirect the user to a malicious website, or deface the website. The impact can be significant, potentially leading to complete account takeover and data breaches. Given the widespread use of WordPress and plugins, this vulnerability poses a substantial risk to numerous websites.
CVE-2026-25452 was publicly disclosed on 2026-03-25. Currently, no public proof-of-concept (POC) code has been released, but the vulnerability's nature makes it likely that a POC will emerge. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of XSS exploitation and the plugin's popularity. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25452 is to immediately update the Remoji plugin to version 2.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Remoji plugin to prevent further exploitation. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Monitor WordPress logs for suspicious activity, particularly unusual JavaScript execution patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25452 is a Stored XSS vulnerability in the Remoji WordPress plugin, allowing attackers to inject malicious scripts that are stored and executed by other users.
You are affected if you are using Remoji versions 0.0.0 through 2.2. Check your plugin versions and update immediately.
Update the Remoji plugin to version 2.2.1 or later. If upgrading is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation will occur.
Refer to the Remoji plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.