Platform
wordpress
Component
mydecor
Opgelost in
1.5.10
CVE-2026-25352 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the MyDecor WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions of MyDecor from 0.0.0 through 1.5.9, and a patch is available in version 1.5.9.
The impact of this XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code that, when clicked by a legitimate user, would execute the script in the user's browser within the context of the MyDecor plugin. This allows the attacker to steal cookies, session tokens, or other sensitive information. Furthermore, the attacker could redirect the user to a phishing site, impersonate the user, or modify the content of the web page. The blast radius extends to all users of the affected plugin, particularly those who interact with user input fields or dynamic content generated by MyDecor.
CVE-2026-25352 was publicly disclosed on 2026-03-25. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation associated with reflected XSS vulnerabilities.
Websites using the MyDecor plugin, particularly those with user-facing forms or features that accept user input, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/mydecor/*• generic web:
curl -I https://example.com/mydecor/?param=<script>alert('XSS')</script>• wordpress / composer / npm:
wp plugin list --status=inactive | grep mydecor• wordpress / composer / npm:
wp plugin update mydecordisclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-25352 is to immediately upgrade the MyDecor plugin to version 1.5.9 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include input validation and output encoding on user-supplied data within the plugin's code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through a vulnerable input field and confirming that the script does not execute.
Update to version 1.5.9, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-25352 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the MyDecor WordPress plugin, allowing attackers to inject malicious scripts into web pages.
If you are using MyDecor versions 0.0.0 through 1.5.9, you are affected by this vulnerability. Upgrade to version 1.5.9 or later to mitigate the risk.
The recommended fix is to upgrade the MyDecor plugin to version 1.5.9 or later. Consider input validation and WAF rules as temporary workarounds if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but given the nature of XSS vulnerabilities, exploitation is likely to occur.
Refer to the MyDecor plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.