CVE-2025-26573: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Rizzi Guestbook WordPress plugin, tracked as CVE-2025-26573. The vulnerability affects versions up to 4.0.1 of the plugin and was disclosed on March 26, 2025. The issue stems from improper neutralization of input during web page generation (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability can lead to compromised confidentiality, integrity, and availability, all rated as Low according to the CVSS scoring. The Cross-Site Scripting vulnerability could allow attackers to inject malicious scripts that execute in users' browsers within the context of the affected site (NVD).

Users of the Rizzi Guestbook WordPress plugin should upgrade to a version newer than 4.0.1 if available. As this is a recently disclosed vulnerability, users should monitor the plugin developer's announcements for patches (Wordfence).