Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6.
AnalysisAI
DOM-Based Cross-Site Scripting (XSS) in A WP Life Blog Filter WordPress plugin versions 1.7.6 and earlier allows authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers when they interact with crafted web pages. The vulnerability stems from improper neutralization of user input during page generation and requires user interaction to trigger. No public exploit code or active exploitation has been identified at the time of analysis, with an EPSS score of 0.03% indicating low exploitation probability.
Technical ContextAI
This vulnerability is a DOM-Based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the A WP Life Blog Filter WordPress plugin, identified by CPE cpe:2.3:a:a_wp_life:blog_filter:*:*:*:*:*:*:*:*. DOM-Based XSS occurs when client-side JavaScript code processes user-controlled data without proper sanitization or encoding, allowing attackers to inject arbitrary scripts that execute in the document object model. Unlike reflected or stored XSS, DOM-based variants are particularly dangerous because the malicious payload may not appear in the HTML source and can be difficult to detect with server-side security tools. The plugin processes user input during web page generation without adequate output encoding or input validation, creating a pathway for script injection.
RemediationAI
Update the A WP Life Blog Filter plugin to a version newer than 1.7.6 as soon as a patched release is made available. Website administrators should navigate to WordPress Dashboard > Plugins, locate Blog Filter, and apply the available update. Until a patch is released, users may temporarily disable or remove the plugin if its functionality is not critical. For additional details and updates, consult the advisory at https://patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve and monitor the official plugin repository or vendor notifications for patch availability.
More in Blog Filter
View allThe Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'AWL-BlogFilter' shortcode in vers
The Comments by Startbit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'vivafbcomment' shortcode
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20179
GHSA-fw58-q5m2-3fgm