CVE-2025-26731: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Repute Infosystems ARPrice plugin version 4.1.3 and earlier. The vulnerability was disclosed on March 27, 2025, and has been assigned the identifier CVE-2025-26731. The issue stems from improper neutralization of input during web page generation (NVD CVE, Patchstack Report).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with potential impacts on confidentiality, integrity, and availability (NVD CVE).

The stored XSS vulnerability could allow attackers to inject malicious scripts that would be executed in users' browsers when viewing affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD CVE).

Users of the ARPrice plugin should upgrade to a version newer than 4.1.3 once available. Until then, website administrators should implement additional security controls such as Web Application Firewalls (WAF) to help mitigate potential XSS attacks (NVD CVE).