平台
wordpress
组件
nooni
修复版本
1.5.2
CVE-2026-25353 describes a Reflected Cross-Site Scripting (XSS) vulnerability within the Nooni WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability impacts versions of Nooni from 0.0.0 up to, but not including, version 1.5.1. A patch is available in version 1.5.1.
The impact of this XSS vulnerability is significant. An attacker could leverage it to execute arbitrary JavaScript code within the context of a user's browser. This could be used to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also redirect users to phishing sites, inject malware, or modify the content of the website. The blast radius extends to all users who interact with affected pages, making it a critical security concern for sites relying on the Nooni plugin. Successful exploitation requires an attacker to trick a user into clicking a malicious link or visiting a crafted URL.
CVE-2026-25353 was publicly disclosed on 2026-03-25. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the relatively simple nature of reflected XSS vulnerabilities.
Websites using the Nooni WordPress plugin, particularly those with user-supplied input fields that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/nooni/*• generic web:
curl -I https://example.com/page-with-vulnerable-input?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list --status=inactive | grep nooni• wordpress / composer / npm:
wp plugin update noonidisclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-25353 is to immediately upgrade the Nooni WordPress plugin to version 1.5.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious input based on XSS patterns. Input validation and output encoding on the server-side can also help prevent the injection of malicious scripts. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a vulnerable input field and confirming that the script is not executed.
Update to version 1.5.1, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25353 is a Reflected Cross-Site Scripting (XSS) vulnerability in the Nooni WordPress plugin, allowing attackers to inject malicious scripts into web pages.
You are affected if you are using Nooni WordPress plugin versions 0.0.0 through 1.5.0. Upgrade to 1.5.1 or later to mitigate the risk.
Upgrade the Nooni WordPress plugin to version 1.5.1 or later. Consider WAF rules and input validation as temporary workarounds if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but public PoCs are likely to emerge.
Refer to the Nooni plugin's official website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。