CVE-2025-26904 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the WP Responsive Auto Fit Text plugin for WordPress, developed by gal_op. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the plugin's handling of dynamic text resizing features. The affected versions include all versions up to and including 0.2. DOM-based XSS occurs when malicious scripts are injected and executed in the victim's browser via manipulation of the Document Object Model, without server-side sanitization. This allows attackers to execute arbitrary JavaScript in the context of the affected website, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. The vulnerability does not require authentication, making it accessible to unauthenticated attackers, but exploitation requires user interaction, such as clicking a malicious link or visiting a compromised page. No patches or fixes have been published yet, and no known exploits are reported in the wild at the time of disclosure. The vulnerability was reserved and published in February 2025 by Patchstack. The absence of a CVSS score necessitates an independent severity assessment. Given the nature of DOM-based XSS and the widespread use of WordPress plugins, this vulnerability poses a significant risk to websites using the affected plugin, especially those handling sensitive user data or high traffic volumes.

The primary impact of CVE-2025-26904 is the potential compromise of user confidentiality and integrity on websites using the vulnerable WP Responsive Auto Fit Text plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in users' browsers, which can lead to theft of cookies, session tokens, or other sensitive information. This can result in account takeover, unauthorized actions, or redirection to malicious sites. Additionally, attackers may deface websites or inject malicious content, damaging organizational reputation. The vulnerability affects the availability of trust in affected websites, though it does not directly cause denial of service. Since the plugin is used in WordPress environments, which power a significant portion of the web, the scope of affected systems is considerable. Organizations relying on this plugin for responsive text features on their websites are at risk, particularly those in sectors such as e-commerce, finance, healthcare, and government, where user data protection is critical. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation once a public exploit becomes available.

Organizations should immediately inventory their WordPress installations to identify the presence of the WP Responsive Auto Fit Text plugin and its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If removal is not feasible, applying manual mitigations such as implementing strict Content Security Policy (CSP) headers can help reduce the risk of script injection and execution. Additionally, input validation and output encoding should be enforced on any user-controllable parameters that interact with the plugin's functionality. Monitoring web server logs and web application firewall (WAF) alerts for suspicious requests targeting the plugin's endpoints or parameters is recommended. Once a patch is available, prompt updating to the fixed version is critical. Educating users about the risks of clicking untrusted links can also reduce the likelihood of successful exploitation. Finally, organizations should conduct regular security assessments of their WordPress plugins and maintain an up-to-date inventory to quickly respond to emerging vulnerabilities.