CVE-2025-26561: 
WordPress vulnerability analysis and mitigation

The Elfsight Yottie Lite WordPress plugin versions up to and including 1.3.3 contains a Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by researcher Khang Duong and was publicly disclosed on February 13, 2025. This security issue affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the Elfsight Yottie Lite plugin. It has been assigned a CVSS score of 5.5 (medium) and is classified under CWE-79. The vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, Patchstack).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. This could enable attackers to inject redirects, advertisements, and other HTML payloads that execute when guests visit the site (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue has been classified as having a low priority for virtual patching, suggesting that while it represents a security risk, it is unlikely to be widely exploited (Patchstack).