CVE-2026-25452
Stored XSS in WPDO Remoji β€ 2.2 Allows Persistent Script Injection
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdo | remoji | to 2.2 (inc) |
| patchstack | remoji | to 2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25452 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress Remoji Plugin versions up to and including 2.2.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the plugin.
These malicious scripts execute when visitors access the compromised site, potentially causing harm or unauthorized actions.
Exploitation requires user interaction by a privileged user performing actions like clicking a malicious link, visiting a crafted page, or submitting a form, although the initial attack vector can be initiated by an unauthenticated user.
How can this vulnerability impact me? :
This vulnerability can lead to attackers injecting and executing malicious scripts on your website, which can result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
Such exploitation can compromise the security and integrity of your website, potentially harming your visitors and damaging your site's reputation.
Because the vulnerability can be exploited by unauthenticated users and requires user interaction, it poses a moderate risk with potential for widespread exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross Site Scripting (XSS) issue in the WordPress Remoji Plugin up to version 2.2. Detection typically involves monitoring for injected malicious scripts in web pages generated by the plugin.
Since no official patch is available and the vulnerability involves script injection, detection can include inspecting web page source code for unexpected or suspicious scripts, especially those that could be injected via user inputs.
Specific commands or automated tools for detection are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released.
Users are advised to update the Remoji plugin immediately once a patch becomes available.
In the meantime, seek assistance from hosting providers or web developers to apply available mitigations and monitor for suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-25452 vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts into websites using the affected plugin. Such vulnerabilities can lead to unauthorized access to user data or manipulation of website content, which may result in breaches of data protection and privacy requirements.
Because XSS vulnerabilities can expose personal data or enable unauthorized actions, they may impact compliance with standards like GDPR and HIPAA that require protection of sensitive information and secure handling of user data.
However, the provided information does not explicitly detail the direct effects of this vulnerability on compliance with these regulations.