WordPress Plugin Vulnerabilities

WP Html Page Sitemap <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Description

The WP Html Page Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wp-html-page-sitemap
No known fix

References

CVE
CVE-2025-26549
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/242ad509-32fd-4b28-b6e2-6c49b7288dde

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
a990b3ec-1407-45b9-94e4-b44bda3afa87

Timeline

Publicly Published
2025-02-13 (about 1 year ago)
Added
2025-02-18 (about 1 year ago)
Last Updated
2025-02-18 (about 1 year ago)

Other

Published
Title
Published
2025-12-11
Title
Freshchat <= 2.3.4 - Cross-Site Request Forgery
Published
2025-01-16
Title
PayForm <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-03-08
Title
HT Easy GA4 ( Google Analytics 4 ) < 1.0.7 - Plugin Activation via CSRF
Published
2025-04-17
Title
Amazon Showcase WordPress Plugin <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2026-01-26
Title
Kama Thumbnail <= 3.5.1 - Cross-Site Request Forgery