CVE-2025-26566: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the In Stock Mailer for WooCommerce WordPress plugin, affecting versions up to and including 2.1.1. The vulnerability was discovered on March 11, 2025, and was assigned CVE-2025-26566. The issue stems from insufficient input sanitization and output escaping in the plugin (WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The technical assessment indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges, but does need user interaction (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute if they can successfully trick a user into performing specific actions, such as clicking on a malicious link. This could lead to compromised user sessions, data theft, or other malicious activities (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the In Stock Mailer for WooCommerce plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).