プラットフォーム
wordpress
コンポーネント
phox-host
修正版
2.0.9
CVE-2026-25013 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within Phox Hosting, a WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise or data theft. The vulnerability impacts versions from 0.0.0 up to and including 2.0.8, but is resolved in version 2.0.9.
The primary impact of this Reflected XSS vulnerability lies in the attacker's ability to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal cookies, redirect users to phishing sites, or deface the website. Successful exploitation could grant an attacker access to sensitive user data, including login credentials and personal information stored within the Phox Hosting system. Given the plugin's potential integration with WHMCS, the blast radius could extend to WHMCS user accounts as well, depending on the specific configuration and data flow.
CVE-2026-25013 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation for Reflected XSS vulnerabilities means it is likely to be targeted. The EPSS score is likely medium, given the relatively straightforward nature of the attack and the potential for widespread impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites using Phox Hosting plugin versions 0.0.0 through 2.0.8 are at immediate risk. Shared hosting environments where multiple websites share the same server are particularly vulnerable, as a successful attack on one site could potentially impact others. Users who have not implemented robust input validation and output encoding practices are also at increased risk.
• wordpress / composer / npm:
grep -r 'phox-host' /var/www/html/wp-content/plugins/
wp plugin list | grep phox-host• generic web:
curl -I 'https://example.com/?param=<script>alert(1)</script>' # Check for reflected script tag in response headersdisclosure
エクスプロイト状況
EPSS
0.04% (11% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation is to immediately upgrade Phox Hosting to version 2.0.9 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on all user-supplied data displayed on the website. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Monitor web server access logs for suspicious URL patterns containing JavaScript code.
Update to version 2.0.9, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-25013 is a Reflected XSS vulnerability in Phox Hosting versions 0.0.0 through 2.0.8, allowing attackers to inject malicious scripts via crafted URLs.
If you are using Phox Hosting version 2.0.8 or earlier, you are affected by this vulnerability. Upgrade to 2.0.9 or later to mitigate the risk.
The primary fix is to upgrade Phox Hosting to version 2.0.9 or later. Consider implementing input validation and output encoding as an additional security measure.
While no widespread exploitation has been confirmed, the ease of exploitation makes it a likely target. Monitor security advisories and threat intelligence feeds.
Refer to the Phox Hosting project's official website or WordPress plugin repository for the latest security advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。