CVE-2025-26992: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Landing Page Cat plugin, identified as CVE-2025-26992. The vulnerability affects versions through 1.7.8 of the Landing Page Cat plugin and was disclosed on April 14, 2025. This security issue was initially reported by security researcher Nguyen Xuan Chien on March 15, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue, categorized under CWE-79. It received a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited without authentication, making it particularly concerning (Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when visitors access the affected site, potentially compromising user security and website integrity (Patchstack).

The vulnerability has been fixed in version 1.7.9 of the Landing Page Cat plugin. Users are advised to update to version 1.7.9 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking attacks until the update can be applied (Patchstack).