CVE-2025-26996: 
WordPress vulnerability analysis and mitigation

A code injection vulnerability (CVE-2025-26996) was discovered in Fetch Designs Sign-up Sheets WordPress plugin affecting versions through 2.3.0.1. The vulnerability was reported by Phan Trong Quan from VNPT Cyber Immunity on February 10, 2025, and was publicly disclosed on April 15, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Generation of Code (Code Injection) vulnerability, identified as CWE-94. It received a CVSS v3.1 score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, and can result in low-level impacts to confidentiality and integrity (Patchstack).

The vulnerability could allow malicious actors to inject their own content into pages and posts of affected websites. This could potentially be exploited for creating phishing pages within compromised websites. The impact is considered moderately dangerous and is expected to become actively exploited (Patchstack).

The vulnerability has been fixed in version 2.3.1 of the Sign-up Sheets plugin. Users are advised to update to this version or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).