The vulnerability identified as CVE-2025-26549 affects the WP Html Page Sitemap plugin for WordPress, specifically versions up to and including 2.2. It is a Cross-Site Request Forgery (CSRF) vulnerability that enables an attacker to trick an authenticated user into submitting unauthorized requests to the vulnerable plugin. This CSRF flaw facilitates stored Cross-Site Scripting (XSS), where malicious scripts injected by the attacker are persistently stored on the website and executed in the context of users visiting the affected pages. The root cause lies in insufficient validation of requests and lack of proper anti-CSRF tokens in the plugin's request handling. Exploitation requires the victim to be logged into the WordPress site with sufficient privileges and to visit a crafted malicious webpage that triggers the unauthorized request. Although no exploits have been observed in the wild, the vulnerability poses a significant risk due to the potential for persistent XSS, which can lead to session hijacking, defacement, or distribution of malware. The vulnerability was publicly disclosed on February 13, 2025, but no official patch or CVSS score has been provided by the vendor or security databases. The plugin is commonly used to generate HTML sitemaps for WordPress sites, which means a wide range of websites could be affected if they have not updated or applied mitigations.

If exploited, this vulnerability could allow attackers to inject persistent malicious scripts into affected WordPress sites, compromising the confidentiality and integrity of user sessions and data. Stored XSS can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or malware distribution. The availability of the site could also be impacted if attackers use the vulnerability to disrupt normal operations. Since exploitation requires an authenticated user, sites with multiple users or administrative roles are at higher risk. The impact extends to site visitors and administrators, potentially damaging organizational reputation and trust. Given the widespread use of WordPress and the plugin's role in sitemap generation, many organizations globally could be affected, especially those that have not updated or mitigated this vulnerability.

Organizations should immediately verify if they are using the WP Html Page Sitemap plugin version 2.2 or earlier and plan to update to a patched version as soon as it becomes available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block CSRF attempts targeting the plugin's endpoints can provide temporary protection. Enforce strict user authentication and limit administrative privileges to reduce the risk of exploitation. Additionally, site owners should ensure that WordPress core and all plugins are kept up to date, and consider enabling Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks. Monitoring logs for unusual requests and user activities related to sitemap generation can help detect attempted exploitation.