Cross-site Scripting Vulnerability in VaultDweller Leyka Plugin
CVE-2025-26766

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Leyka
Vendor: CVE Published:; 16 February 2025

Summary

The VaultDweller Leyka plugin for WordPress is vulnerable to a stored cross-site scripting (XSS) attack, allowing malicious users to inject harmful scripts into web pages viewed by other users. This vulnerability can be exploited via improper handling of user inputs during web page generation, posing significant risks to site integrity and user data protection. Affected versions include all from the initial release up to version 3.31.8. Website administrators should prioritize patching or updating to mitigate the risks associated with this vulnerability.

Affected Version(s)

Leyka <= 3.31.8

References

https://patchstack.com/database/wordpress/plugin/leyka/vu...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 16, 2025
Vulnerability Reserved
Feb 14, 2025

Credit

Peter Thaleikis (Patchstack Alliance)