CVE-2025-26746 identifies a reflected Cross-site Scripting (XSS) vulnerability in the caalami Advanced Custom Fields: Link Picker Field plugin, specifically affecting versions up to 1.2.8. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows malicious scripts to be injected and executed in the context of a victim's browser session. Reflected XSS typically occurs when input is immediately returned in the HTTP response without proper sanitization or encoding. This flaw can be exploited by attackers who craft malicious URLs containing payloads that, when clicked by users, execute arbitrary JavaScript code. Such code execution can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The plugin is commonly used in WordPress environments to enhance content management capabilities by providing a link picker field. Since the vulnerability is reflected and does not require authentication, any user visiting a maliciously crafted URL can be affected. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability is publicly disclosed and should be addressed promptly. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for temporary mitigations. The vulnerability was reserved in February 2025 and published in April 2025, indicating recent discovery and disclosure.

The impact of CVE-2025-26746 is significant for organizations using the affected plugin on their WordPress sites. Successful exploitation can lead to the execution of arbitrary JavaScript in users' browsers, compromising confidentiality by stealing session cookies or sensitive data. Integrity may be affected if attackers perform unauthorized actions on behalf of users, such as changing content or settings. Availability impact is generally limited but could occur if attackers use the vulnerability to deface websites or deliver malware that disrupts service. The ease of exploitation—requiring only a crafted URL and no authentication—broadens the attack surface, potentially affecting all visitors to vulnerable sites. This can damage organizational reputation, lead to data breaches, and result in regulatory penalties if user data is compromised. The vulnerability is particularly concerning for sites with high traffic or those handling sensitive user information. Since no known exploits are currently active, the window for proactive mitigation remains open, but the risk of future exploitation is high once attackers develop proof-of-concept code.

Organizations should immediately assess their use of the caalami Advanced Custom Fields: Link Picker Field plugin and upgrade to a patched version once available. In the absence of an official patch, temporary mitigations include implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns typical of XSS payloads targeting the affected parameter. Input validation and output encoding should be enforced at the application level to neutralize malicious scripts. Site administrators can also disable or remove the vulnerable plugin if it is not essential. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting the execution of unauthorized scripts. Regular security audits and monitoring for unusual activity or user complaints can help detect exploitation attempts. Educating users about the risks of clicking unknown links and employing multi-factor authentication can further reduce potential damage. Finally, subscribing to vendor or security mailing lists ensures timely awareness of patches and updates.