CVE-2026-25356
Reflected XSS in Yobazar < 1.6.7 Enables Web Attacks
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| skygroup | yobazar | to 1.6.7 (exc) |
| skygroup | yobazar | From 1.0.0 (inc) to 1.6.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25356 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress Yobazar Theme versions prior to 1.6.7.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the vulnerable theme.
These malicious scripts execute when visitors access the compromised site, potentially causing harm or unwanted behavior.
The vulnerability falls under the OWASP Top 10 category A3: Injection and has a CVSS score of 7.1, indicating moderate severity.
Exploitation requires user interaction, such as clicking a malicious link, visiting a crafted page, or submitting a form, but does not require authentication.
Updating to version 1.6.7 or later patches this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject and execute malicious scripts on your website.
Such scripts can perform unwanted actions like redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing sensitive information.
Because the malicious code executes in the context of your website, it can compromise the security and trustworthiness of your site for your visitors.
Exploitation does not require authentication but does require user interaction, increasing the risk of successful attacks.
Failure to patch this vulnerability may lead to mass exploitation campaigns affecting thousands of websites.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-25356 is a reflected Cross Site Scripting (XSS) vulnerability in the WordPress Yobazar Theme versions prior to 1.6.7. Detection typically involves monitoring for suspicious HTTP requests that include malicious script payloads or unusual URL parameters that could trigger the XSS.
While specific commands are not provided in the available resources, common detection methods include using web application firewalls (WAFs) with rules targeting this vulnerability, analyzing web server logs for suspicious query strings or POST data, and employing security scanners that detect reflected XSS patterns.
For manual inspection, you can use tools like curl or wget to send crafted requests to the web application and observe if the input is improperly reflected in the response without proper neutralization.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the Yobazar Theme to version 1.6.7 or later, as this version contains the patch that fixes the reflected XSS vulnerability.
Until the update can be applied, it is advised to implement mitigation rules provided by Patchstack to block attacks targeting this vulnerability.
Additionally, consider using a web application firewall (WAF) to filter and block malicious requests that attempt to exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-25356 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.