プラットフォーム
wordpress
コンポーネント
loobek
修正版
1.5.3
CVE-2026-25349 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the Loobek WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of Loobek from 0.0.0 up to, but not including, version 1.5.2. A patch has been released by the vendor.
The primary impact of this XSS vulnerability lies in the attacker's ability to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the website. An attacker could craft a malicious URL containing the XSS payload and trick a user into clicking it, either through social engineering or by embedding the URL in a seemingly legitimate link. Successful exploitation could lead to complete account takeover and unauthorized access to sensitive data stored within the WordPress site. The blast radius extends to all users who interact with the vulnerable plugin, particularly those who are logged in.
CVE-2026-25349 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The EPSS score is currently pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the Loobek WordPress plugin, particularly those with user authentication and sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/loobek/*• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list | grep loobekdisclosure
エクスプロイト状況
EPSS
0.04% (11% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation is to immediately upgrade the Loobek WordPress plugin to version 1.5.2 or later. This version contains the necessary fix to neutralize the malicious input. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input strings targeting the vulnerable endpoint. Input validation and output encoding on the server-side can also help reduce the attack surface. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the affected input field and confirming that the script is not executed.
Update to version 1.5.2, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-25349 is a Reflected Cross-Site Scripting (XSS) vulnerability in the Loobek WordPress plugin, allowing attackers to inject malicious scripts into web pages.
You are affected if you are using Loobek versions 0.0.0 through 1.5.2. Upgrade to 1.5.2 or later to mitigate the risk.
Upgrade the Loobek WordPress plugin to version 1.5.2 or later. Consider WAF rules or input validation as temporary workarounds.
No active exploitation has been confirmed at this time, but the vulnerability is publicly known.
Refer to the skygroup website or the WordPress plugin repository for the latest advisory and updates regarding CVE-2026-25349.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。