Cross-Site Request Forgery in WP Html Page Sitemap by WordPress
CVE-2025-26549

7.1HIGH

Key Information:

Vendor: WordPress
Status: WP Html Page Sitemap
Vendor: CVE Published:; 13 February 2025

What is CVE-2025-26549?

A Cross-Site Request Forgery vulnerability in the WP Html Page Sitemap plugin poses a risk of stored cross-site scripting. An attacker can exploit this flaw to inject malicious scripts that may be executed in the context of users visiting the compromised web pages. This issue impacts all versions of WP Html Page Sitemap up to 2.2, allowing attackers to potentially manipulate user interactions without their consent, leading to unauthorized changes to the sitemap data.

Affected Version(s)

WP Html Page Sitemap <= 2.2

References

https://patchstack.com/database/wordpress/plugin/wp-html-...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Feb 12, 2025

Credit

Abdi Pranata (Patchstack Alliance)