CVE-2025-26768

Name of the Vulnerable Software and Affected Versions: what3words Address Field versions n/a through 4.0.15

Description: The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Stored XSS in the what3words Address Field. This means an attacker can perform unauthorized actions on a user's account by tricking the user into performing a specific action, and also store malicious scripts that can be executed by other users.

Recommendations: For versions n/a through 4.0.15, update to a version later than 4.0.15 to resolve the issue. As a temporary workaround, consider disabling the what3words Address Field function until a patch is available. Restrict access to the what3words Address Field module to minimize the risk of exploitation.