Skip to main content

H5P CVE-2026-56006

| EUVDEUVD-2026-39375 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 Patchstack GHSA-rp27-rcxx-mqmc
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable reflected XSS (PR:N, AV:N, AC:L) requires a victim click (UI:R); execution in the browser session crosses a security boundary (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:21 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in H5P <= 1.17.6 versions.

AnalysisAI

Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with XSS payload for H5P
Delivery
Deliver link to logged-in user
Exploit
Victim clicks, payload reflected in response
Execution
Script executes in authenticated browser session
Impact
Steal session cookies or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) but does require user interaction (UI:R): a victim - ideally an authenticated WordPress user/administrator - must click or load an attacker-crafted link/request that carries the reflected payload to a site running H5P plugin version 1.17.6 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, no privileges, but requiring user interaction, with a scope change and low confidentiality/integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a vulnerable H5P endpoint containing a malicious script payload in a reflected parameter and sends it to a logged-in WordPress administrator via phishing or a malicious link. When the admin opens the link, the script executes in their authenticated browser session, allowing theft of session cookies or forced administrative actions. …
Remediation No vendor-released patch version was identified in the available data; the input confirms only that versions up to and including 1.17.6 are affected, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/h5p/vulnerability/wordpress-h5p-plugin-1-17-6-reflected-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for any release newer than 1.17.6 and upgrade to it once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Audit all WordPress installations to identify those running H5P plugin version 1.17.6 or earlier; document counts and affected sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy