HIGHCVE-2026-25033CVSS 7.1

WordPress Motta Addons plugin < 1.6.1 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-25033 — Reflected XSS in Motta Addons?

CVE-2026-25033 is a Reflected XSS vulnerability affecting the Motta Addons WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.

Q: Am I affected by CVE-2026-25033 in Motta Addons?

You are affected if you are using Motta Addons versions 0.0.0 through 1.6.1. Upgrade to 1.6.1 or later to mitigate the risk.

Q: How do I fix CVE-2026-25033 in Motta Addons?

Upgrade the Motta Addons plugin to version 1.6.1 or later. Consider WAF rules or input validation as temporary workarounds if immediate upgrade is not possible.

Q: Is CVE-2026-25033 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for future attacks.

Q: Where can I find the official Motta Addons advisory for CVE-2026-25033?

Refer to the Motta Addons official website or WordPress plugin repository for the latest security advisory and update information.

翻译中…

平台

wordpress

组件

motta-addons

修复版本

1.6.2

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-25033 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the Motta Addons WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability impacts versions 0.0.0 through 1.6.1 of the plugin, and a patch is available in version 1.6.1.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The impact of this Reflected XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, effectively running under the user's privileges. This could allow an attacker to steal session cookies, redirect the user to a phishing site, or even modify the content of the web page. The blast radius extends to all users who interact with affected pages, making it a widespread concern for WordPress sites utilizing the Motta Addons plugin. Successful exploitation could also be used to gain administrative access if the user has sufficient privileges.

利用背景翻译中…

CVE-2026-25033 was publicly disclosed on 2026-03-25. No public proof-of-concept (POC) code has been identified as of this writing, but the vulnerability's nature (Reflected XSS) makes it relatively easy to exploit. The CVSS score of 7.1 (HIGH) indicates a moderate probability of exploitation. It is not currently listed on CISA KEV. Active campaigns targeting WordPress plugins are common, so vigilance is advised.

哪些人处于风险中翻译中…

Websites using the Motta Addons plugin, particularly those with user input fields or forms that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also more vulnerable, as a compromise on one site could potentially impact others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r "<script>" /var/www/html/wp-content/plugins/motta-addons/

• wordpress / composer / npm:

wp plugin list --status=active | grep motta-addons

• wordpress / composer / npm:

wp plugin update motta-addons --all

• generic web: Inspect URL parameters for suspicious JavaScript code (e.g., alert(1)).

攻击时间线

2026-03-25Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.04% (11% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 低 — 可访问部分数据。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 低 — 部分或间歇性拒绝服务。

受影响的软件

组件motta-addons

供应商wordfence

影响范围修复版本

0 – 1.6.11.6.2

弱点分类 (CWE)

CWE-79

时间线

已保留2026-01-28
发布日期2026-03-25
修改日期2026-04-28
EPSS 更新日期2026-04-02

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-25033 is to immediately upgrade the Motta Addons plugin to version 1.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) can be configured to filter out malicious URLs containing suspicious JavaScript payloads. Input validation and output encoding on the server-side can also help prevent XSS attacks, although this requires modifying the plugin's code, which is not recommended without proper expertise. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a URL and confirming that it is not executed.

修复方法翻译中…

Update to version 1.6.1, or a newer patched version

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-25033 — Reflected XSS in Motta Addons?

CVE-2026-25033 is a Reflected XSS vulnerability affecting the Motta Addons WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.

Am I affected by CVE-2026-25033 in Motta Addons?

You are affected if you are using Motta Addons versions 0.0.0 through 1.6.1. Upgrade to 1.6.1 or later to mitigate the risk.

How do I fix CVE-2026-25033 in Motta Addons?

Upgrade the Motta Addons plugin to version 1.6.1 or later. Consider WAF rules or input validation as temporary workarounds if immediate upgrade is not possible.

Is CVE-2026-25033 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for future attacks.

Where can I find the official Motta Addons advisory for CVE-2026-25033?

Refer to the Motta Addons official website or WordPress plugin repository for the latest security advisory and update information.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE