CVE-2026-25033
Reflected XSS in Motta Addons UIxthemes Before
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uixthemes | motta_addons | to 1.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25033 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress Motta Addons Plugin versions prior to 1.6.1.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the plugin.
These malicious scripts execute when visitors access the compromised site.
Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability is classified under OWASP Top 10 A3: Injection.
How can this vulnerability impact me? :
This vulnerability can lead to attackers injecting and executing malicious scripts on your website, which can result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
Such exploitation can compromise the integrity and trustworthiness of your website, potentially harming your users and your reputation.
Since exploitation requires privileged user interaction, attackers might trick authorized users into performing actions that trigger the malicious scripts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross Site Scripting (XSS) issue in the Motta Addons WordPress plugin prior to version 1.6.1. Detection typically involves monitoring for suspicious HTTP requests that include malicious script payloads targeting the plugin's input fields or URLs.
While specific commands are not provided in the resources, common detection methods include using web application scanners or manual testing by sending crafted requests containing typical XSS payloads (e.g., <script>alert(1)</script>) to the affected plugin endpoints.
Network monitoring tools or intrusion detection systems (IDS) can be configured to look for patterns of reflected XSS attacks, such as unusual script tags in URL parameters or form submissions.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the Motta Addons WordPress plugin to version 1.6.1 or later, where the vulnerability has been patched.
Until the update can be applied, users can implement mitigation rules provided by Patchstack to block attacks targeting this vulnerability.
Additionally, enabling automatic mitigation and auto-update options offered by Patchstack can help protect the system from exploitation.
It is also advisable to educate privileged users about the risk of clicking on suspicious links or submitting untrusted forms, as exploitation requires user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-25033 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.