Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable reflected XSS needs no auth (PR:N) but requires the victim to open a crafted link (UI:R); script crossing into the admin origin justifies S:C with limited C/I/A impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.3 versions.
AnalysisAI
Reflected cross-site scripting in the Perfmatters WordPress plugin (versions 2.6.3 and earlier) allows unauthenticated attackers to inject malicious script that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that successful exploitation can affect resources beyond the vulnerable component, such as an authenticated administrator's session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires no authentication (PR:N) but does require user interaction (UI:R): a victim - most impactfully a logged-in WordPress administrator - must open an attacker-crafted link to the affected site so the reflected payload is rendered. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates a network-reachable, low-complexity, unauthenticated attack that nevertheless requires user interaction (the victim must click or load a crafted link), which is the principal limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the target WordPress site containing a malicious script payload in a parameter handled by Perfmatters, then delivers it to a logged-in administrator via phishing email, comment, or chat. When the administrator opens the link, the reflected script executes in their browser within the site's origin, allowing the attacker to steal the session, perform actions as the admin, or stage further compromise. … |
| Remediation | Upgrade Perfmatters to the vendor's fixed release above 2.6.3; an exact patched version number was not included in the provided data, so confirm the current secure version directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/perfmatters/vulnerability/wordpress-perfmatters-plugin-2-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) and the plugin's WordPress.org changelog before applying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using Perfmatters and verify installed versions against 2.6.3. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39708
GHSA-77r4-g858-h4qm