Plateforme
wordpress
Composant
motta-addons
Corrigé dans
1.6.2
CVE-2026-25033 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the Motta Addons WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability impacts versions 0.0.0 through 1.6.1 of the plugin, and a patch is available in version 1.6.1.
The impact of this Reflected XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, effectively running under the user's privileges. This could allow an attacker to steal session cookies, redirect the user to a phishing site, or even modify the content of the web page. The blast radius extends to all users who interact with affected pages, making it a widespread concern for WordPress sites utilizing the Motta Addons plugin. Successful exploitation could also be used to gain administrative access if the user has sufficient privileges.
CVE-2026-25033 was publicly disclosed on 2026-03-25. No public proof-of-concept (POC) code has been identified as of this writing, but the vulnerability's nature (Reflected XSS) makes it relatively easy to exploit. The CVSS score of 7.1 (HIGH) indicates a moderate probability of exploitation. It is not currently listed on CISA KEV. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Websites using the Motta Addons plugin, particularly those with user input fields or forms that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also more vulnerable, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r "<script>" /var/www/html/wp-content/plugins/motta-addons/• wordpress / composer / npm:
wp plugin list --status=active | grep motta-addons• wordpress / composer / npm:
wp plugin update motta-addons --all• generic web:
Inspect URL parameters for suspicious JavaScript code (e.g., alert(1)).
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-25033 is to immediately upgrade the Motta Addons plugin to version 1.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) can be configured to filter out malicious URLs containing suspicious JavaScript payloads. Input validation and output encoding on the server-side can also help prevent XSS attacks, although this requires modifying the plugin's code, which is not recommended without proper expertise. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a URL and confirming that it is not executed.
Update to version 1.6.1, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25033 is a Reflected XSS vulnerability affecting the Motta Addons WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using Motta Addons versions 0.0.0 through 1.6.1. Upgrade to 1.6.1 or later to mitigate the risk.
Upgrade the Motta Addons plugin to version 1.6.1 or later. Consider WAF rules or input validation as temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the Motta Addons official website or WordPress plugin repository for the latest security advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.