CVE-2025-26563: WordPress Rocket Mobile Plugin <= 0.4.2 - Cross Site Scripting (XSS) vulnerability
First published: Mon Mar 03 2025(Updated: )
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mobile allows Reflected XSS. This issue affects Mobile: from n/a through 1.3.3.
Credit: audit@patchstack.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| NotFound Mobile | >=1.3.3 | |
| WordPress Rocket Mobile Plugin | <=0.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-26563?
CVE-2025-26563 has a moderate severity rating due to the reflected XSS vulnerability it introduces.
How do I fix CVE-2025-26563?
To fix CVE-2025-26563, update NotFound Mobile to version 1.3.4 or later, or ensure that the WordPress Rocket Mobile Plugin is updated to version 0.4.3 or later.
What types of attacks are possible due to CVE-2025-26563?
CVE-2025-26563 allows attackers to execute arbitrary JavaScript code in the context of the user's session, leading to potential data theft or session hijacking.
Which versions of NotFound Mobile are affected by CVE-2025-26563?
CVE-2025-26563 affects NotFound Mobile versions up to and including 1.3.3.
Is the WordPress Rocket Mobile Plugin affected by CVE-2025-26563?
Yes, the WordPress Rocket Mobile Plugin is vulnerable to CVE-2025-26563 in versions up to and including 0.4.2.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/last-modified-date
- agent/source
- agent/tags
- agent/event
- vendor/notfound
- canonical/notfound mobile
- vendor/wordpress
- canonical/wordpress rocket mobile plugin