Skip to main content

Post Expirator CVE-2026-39482

| EUVDEUVD-2026-20148 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20148
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator: from n/a through <= 4.9.4.

AnalysisAI

DOM-based cross-site scripting (XSS) in PublishPress Post Expirator WordPress plugin versions 4.9.4 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of higher-privileged administrators viewing affected pages, potentially leading to unauthorized actions or credential theft. The vulnerability requires user interaction (administrator viewing the malicious content) and is confined to the application context, making it a medium-severity risk despite the high CVSS score-EPSS scoring of 0.03% percentile indicates low real-world exploitation probability.

Technical ContextAI

PublishPress Post Expirator is a WordPress plugin (CPE: cpe:2.3:a:publishpress:post_expirator:*:*:*:*:*:*:*:*) that manages the expiration and automated handling of published posts. The vulnerability stems from improper sanitization and neutralization of user-supplied input during dynamic DOM manipulation (CWE-79: Improper Neutralization of Input During Web Page Generation). Rather than server-side reflected or stored XSS, this is DOM-based XSS, meaning the malicious payload is processed client-side in the browser's Document Object Model without being fully sanitized by the plugin's JavaScript code. The flaw likely exists in plugin-specific admin interface code that renders user data into the DOM without adequate escaping or Content Security Policy protections.

RemediationAI

Upgrade PublishPress Post Expirator to a patched version released after 4.9.4 as available from the official WordPress plugin repository or PublishPress website. No specific patched version number is independently confirmed in the provided advisory data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/post-expirator/vulnerability/wordpress-post-expirator-plugin-4-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve) or the plugin's official changelog for the recommended upgrade path. As an interim measure, restrict admin user access to only trusted personnel and limit plugin usage to sites where user-supplied content in Post Expirator fields is carefully reviewed before being displayed to administrators. Implementing a Web Application Firewall (WAF) with XSS detection rules may provide additional protection while patches are being deployed.

Share

CVE-2026-39482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy