Skip to main content

Korea Sns CVE-2026-39667

| EUVDEUVD-2026-20341 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-93gq-jh68-93jp
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
5.9 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20341
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.

AnalysisAI

DOM-based cross-site scripting (XSS) in Jongmyoung Kim's Korea SNS WordPress plugin versions up to 1.7.0 allows authenticated high-privilege users to inject malicious scripts into web pages viewed by others. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), limiting real-world exploitability to scenarios where administrative or editor-level WordPress accounts are compromised or misused. EPSS exploitation probability is minimal at 0.03% (8th percentile), indicating low technical likelihood despite the network-accessible attack vector.

Technical ContextAI

The vulnerability exploits improper input sanitization during web page generation within the Korea SNS WordPress plugin, a social networking extension for WordPress. The DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs when the plugin processes user-supplied input without adequate escaping or validation before rendering it in the Document Object Model. This allows injection of arbitrary JavaScript code that executes in the browser context of affected users. The CPE identifier cpe:2.3:a:jongmyoung_kim:korea_sns:*:*:*:*:*:*:*:* confirms this affects all versions of the plugin from Jongmyoung Kim's Korea SNS product line.

RemediationAI

Site administrators must upgrade Korea SNS to a version newer than 1.7.0; the exact fixed version was not explicitly specified in the available advisory data, so administrators should check Patchstack or the plugin's GitHub repository for the latest release. As an immediate interim measure, restrict editing or publishing permissions in WordPress to only trusted users, and regularly audit user role assignments to prevent privilege escalation or account misuse. Disable the Korea SNS plugin entirely if a patched version is unavailable and the plugin is not critical to site operations. Review the Patchstack vulnerability entry at https://patchstack.com/database/Wordpress/Plugin/korea-sns for version-specific remediation guidance and patch release notes.

Share

CVE-2026-39667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy