CVE-2025-26991: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WPPizza WordPress plugin, identified as CVE-2025-26991. The vulnerability affects versions through 3.19.4 of the WPPizza plugin, which is a restaurant management solution for WordPress. The issue was discovered by security researcher Trương Hữu Phúc and was publicly disclosed on February 23, 2025 (Patchstack Database).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited without authentication, though it requires user interaction (NVD).

This Cross-Site Scripting vulnerability could allow malicious actors to inject and execute arbitrary JavaScript code in users' browsers. When successfully exploited, attackers could potentially inject malicious scripts, including redirects and unwanted advertisements, which would execute when visitors access the affected website (Patchstack Database).

The vulnerability has been patched in version 3.19.5 of the WPPizza plugin. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack Database).