CVE-2025-26992
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in the Landing Page Cat WordPress plugin allows attackers to inject malicious scripts into web pages. When exploited, it can enable session hijacking, credential theft, or redirection to malicious sites. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Landing Page Cat plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of admin accounts leading to site takeover, data exfiltration, or malware distribution to visitors
Likely Case
Session hijacking of logged-in users, credential theft via phishing, or defacement of affected pages
If Mitigated
Limited impact with proper content security policies and user awareness training
🎯 Exploit Status
Reflected XSS typically requires user interaction but is easily weaponized in phishing campaigns
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.9 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Landing Page Cat
4. Click 'Update Now' if available
5. If no update appears, download version 1.7.9+ from WordPress repository
6. Deactivate, delete old version, upload new version
7. Reactivate plugin
🔧 Temporary Workarounds
Content Security Policy Implementation
allImplement strict CSP headers to prevent script execution from untrusted sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'");
Plugin Deactivation
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate landing-page-cat
Navigate to WordPress admin > Plugins > Landing Page Cat > Deactivate
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Disable the Landing Page Cat plugin entirely and use alternative landing page solutions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Landing Page Cat for version number. If version is 1.7.8 or lower, you are vulnerable.Check Version:
wp plugin get landing-page-cat --field=versionVerify Fix Applied:
Confirm plugin version is 1.7.9 or higher in WordPress admin panel. Test with XSS payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests with script tags or JavaScript payloads in query parameters
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded XSS payloads in URL parameters
- Unusual outbound connections following suspected XSS exploitation
SIEM Query:
source="web_logs" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND uri_path="/wp-content/plugins/landing-page-cat/"