Skip to main content

WPeMatico CVE-2026-57349

| EUVDEUVD-2026-41348 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-r6pv-mx9m-vf24
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS needing victim interaction (UI:R), with cross-context script execution (S:C) yielding limited C/I/A impact, matching a reflected/stored XSS profile.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:14 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.

AnalysisAI

Stored/reflected Cross-Site Scripting in the WPeMatico RSS Feed Fetcher WordPress plugin (versions 2.8.17 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in the browser of a victim who interacts with crafted content. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation with a scope change, meaning injected script can affect the wider WordPress context beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload in request or feed
Delivery
Deliver crafted link/content to victim
Exploit
Victim views page rendering unsanitized input
Execution
Injected script executes in WordPress context
Impact
Hijack session or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) and is network-reachable (AV:N) against sites running WPeMatico RSS Feed Fetcher <= 2.8.17, but it is gated by mandatory user interaction (UI:R): a victim must view or interact with the attacker-crafted content or link for the injected script to fire. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The single available scoring signal is CVSS 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network attack vector, low complexity, no privileges required, but user interaction IS required, and impacts are only Low across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or feed content containing a malicious script payload that WPeMatico renders without proper sanitization, then lures a site administrator or user into clicking the link or viewing the affected page. When the victim's browser loads the page, the injected JavaScript executes in the WordPress context, potentially hijacking the session, performing admin actions, or defacing content. …
Remediation Update the WPeMatico RSS Feed Fetcher plugin to the version released after 2.8.17 (the fixed release above 2.8.17 per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpematico/vulnerability/wordpress-wpematico-rss-feed-fetcher-plugin-2-8-17-cross-site-scripting-xss-vulnerability); no exact fixed version number was included in the provided data, so confirm the patched release directly from the vendor/Patchstack advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances running WPeMatico plugin version 2.8.17 or earlier; disable the plugin immediately if identified; review server logs for XSS patterns and injection attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy