Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network comment submission (PR:N/AV:N/AC:L); stored XSS crosses into other users' browser context (S:C) with limited confidentiality/integrity and no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress's save-time kses sanitization does not mitigate this issue because the crafted payload uses only kses-allowed tags and attributes (such as an <a> element with title and href), and the dangerous attribute-breaking HTML is synthesized entirely at render time by the plugin's own comment_text filter.
AnalysisAI
Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site (1) runs RPB Chessboard version 8.1.2 or earlier, (2) accepts comments from unauthenticated visitors, and (3) renders those comments through the plugin's comment_text filter on pages that display chess content - the injection sink is specifically the plugin's render-time reprocessing of comment anchor tags (title/href attributes). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and mostly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a comment on a page that renders RPB Chessboard content, using an anchor tag whose kses-permitted title and href attributes contain values crafted to break out of their attribute context once the plugin's comment_text filter reformats them. WordPress accepts and stores the comment because kses sees only allowed tags; when any subsequent visitor loads the page, the plugin synthesizes the malicious markup at render time and the injected script runs in that visitor's session (session/cookie theft, admin action forgery, redirects). … |
| Remediation | Update the RPB Chessboard plugin to the fixed release above 8.1.2 as soon as it is confirmed available; the WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3604068%40rpb-chessboard&new=3604068%40rpb-chessboard) shows the upstream code fix, but a specific tagged patched version is not independently confirmed from the provided data, so verify the target version against the plugin's changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, disable WordPress comments site-wide or enable strict pre-publication comment moderation on all sites running RPB Chessboard plugin version 8.1.2 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44865
GHSA-23qv-c3w3-qc96