CVE-2025-26549: 
WordPress vulnerability analysis and mitigation

The WP Html Page Sitemap WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that allows Stored Cross-Site Scripting (XSS) in versions up to and including 2.2. The vulnerability was discovered and reported by Abdi Pranata on January 31, 2025, and publicly disclosed on February 13, 2025 (Patchstack).

The vulnerability has been assigned CVE-2025-26549 and received a CVSS v3.1 score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue stems from missing or incorrect nonce validation on a function, which makes it possible for unauthenticated attackers to update settings and inject malicious web scripts (WPScan).

Successful exploitation of this vulnerability could allow unauthenticated attackers to update settings and inject malicious web scripts that would execute when users access the affected pages. This requires tricking a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

Currently, there is no official fix available for this vulnerability. Site administrators using the affected versions of WP Html Page Sitemap plugin (version 2.2 and below) should consider implementing additional security measures or removing the plugin until a patch is released (Patchstack).