Skip to main content

RPB Chessboard CVE-2026-13042

| EUVDEUVD-2026-44865 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-23qv-c3w3-qc96
7.2
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated network comment submission (PR:N/AV:N/AC:L); stored XSS crosses into other users' browser context (S:C) with limited confidentiality/integrity and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 04:46 vuln.today
CVE Published
Jul 16, 2026 - 03:44 cve.org
HIGH 7.2

DescriptionNVD

The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress's save-time kses sanitization does not mitigate this issue because the crafted payload uses only kses-allowed tags and attributes (such as an <a> element with title and href), and the dangerous attribute-breaking HTML is synthesized entirely at render time by the plugin's own comment_text filter.

AnalysisAI

Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify comment-enabled page rendering RPB Chessboard
Delivery
Submit comment with kses-allowed anchor payload
Exploit
Plugin comment_text filter synthesizes script at render
Execution
Victim loads injected page
Impact
Arbitrary script executes in victim browser session

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site (1) runs RPB Chessboard version 8.1.2 or earlier, (2) accepts comments from unauthenticated visitors, and (3) renders those comments through the plugin's comment_text filter on pages that display chess content - the injection sink is specifically the plugin's render-time reprocessing of comment anchor tags (title/href attributes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and mostly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a comment on a page that renders RPB Chessboard content, using an anchor tag whose kses-permitted title and href attributes contain values crafted to break out of their attribute context once the plugin's comment_text filter reformats them. WordPress accepts and stores the comment because kses sees only allowed tags; when any subsequent visitor loads the page, the plugin synthesizes the malicious markup at render time and the injected script runs in that visitor's session (session/cookie theft, admin action forgery, redirects). …
Remediation Update the RPB Chessboard plugin to the fixed release above 8.1.2 as soon as it is confirmed available; the WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3604068%40rpb-chessboard&new=3604068%40rpb-chessboard) shows the upstream code fix, but a specific tagged patched version is not independently confirmed from the provided data, so verify the target version against the plugin's changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, disable WordPress comments site-wide or enable strict pre-publication comment moderation on all sites running RPB Chessboard plugin version 8.1.2 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy