Plataforma
wordpress
Componente
simple-xml-sitemap
Corregido en
1.3.1
CVE-2026-22355 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the Simple XML Sitemap WordPress plugin. This allows attackers to inject malicious scripts into the plugin, potentially impacting website visitors and administrators. The vulnerability affects versions from 0.0.0 through 1.3. A fix is expected in a future release.
Successful exploitation of CVE-2026-22355 allows an attacker to inject arbitrary JavaScript code into the Simple XML Sitemap plugin. This code can then be triggered when a user visits a page containing the malicious script, leading to a cross-site scripting (XSS) attack. An attacker could steal user cookies, hijack user sessions, redirect users to malicious websites, or deface the website. The impact is particularly severe for websites with sensitive user data or administrative functionality accessible through the WordPress dashboard. The CSRF aspect means an attacker doesn't need user interaction to trigger the XSS, making it more dangerous.
CVE-2026-22355 was publicly disclosed on 2026-01-22. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The ease of exploitation is moderate, as it requires crafting a malicious request and leveraging CSRF. The impact is high due to the potential for account takeover and data theft.
Websites using the Simple XML Sitemap plugin, particularly those with user authentication or sensitive data, are at risk. Shared WordPress hosting environments are particularly vulnerable as attackers could potentially exploit this vulnerability on multiple websites hosted on the same server. Sites using older, unmaintained versions of WordPress are also at higher risk.
• wordpress / composer / npm:
grep -r "<script" /var/www/html/wp-content/plugins/simple-xml-sitemap/• wordpress / composer / npm:
wp plugin list --status=inactive | grep simple-xml-sitemap• wordpress / composer / npm:
wp plugin list | grep simple-xml-sitemapdisclosure
Estado del Exploit
EPSS
0.01% (0% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-22355 is to upgrade to a patched version of the Simple XML Sitemap plugin as soon as it becomes available. Until a patch is released, consider implementing a Content Security Policy (CSP) to restrict the execution of inline scripts. Additionally, implement strict input validation and output encoding within the plugin's code to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured with rules to detect and block XSS attempts can provide an additional layer of protection. Monitor WordPress logs for suspicious activity, particularly requests targeting the sitemap generation endpoints.
No se conoce ninguna solución disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y aplique mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-22355 is a Cross-Site Scripting (XSS) vulnerability in the Simple XML Sitemap WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using the Simple XML Sitemap plugin in WordPress versions 0.0.0 through 1.3. Check your plugin versions immediately.
Upgrade to a patched version of the Simple XML Sitemap plugin as soon as it's available. Until then, implement CSP and input validation.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply mitigations proactively.
Check the plugin author's website or WordPress plugin repository for updates and advisories related to CVE-2026-22355.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.