Skip to main content

WP Debugging CVE-2026-57350

| EUVDEUVD-2026-41349 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-v8f6-4wvm-6rp8
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Unauthenticated reflected XSS needs no privileges (PR:N) but requires victim interaction (UI:R); scope change (S:C) as script runs in browser context, low C/I impact and no availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:15 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WP Debugging <= 2.12.2 versions.

AnalysisAI

Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link with XSS payload
Delivery
Deliver link to WordPress admin via phishing
Exploit
Victim opens link triggering reflected injection
Execution
Script executes in admin browser session
Impact
Steal session cookies or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the WP Debugging plugin (version 2.12.2 or earlier) to be installed and active on the target WordPress site, and it requires victim user interaction (UI:R) - the attacker must lure a user, ideally an authenticated administrator, into clicking a crafted link or loading a malicious request that triggers the reflected payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed toward moderate priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or request to a vulnerable WP Debugging endpoint that embeds malicious JavaScript in a reflected parameter, then delivers it to a logged-in administrator via phishing email, forum post, or a malicious link. When the victim opens the link, the script executes in their authenticated WordPress session and can steal session cookies, create rogue admin accounts, or perform actions on the victim's behalf. …
Remediation No vendor-released patch version was identified at time of analysis in the provided data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-debugging/vulnerability/wordpress-wp-debugging-plugin-2-12-2-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org page for a release newer than 2.12.2 and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running WP Debugging plugin versions ≤2.12.2; disable the plugin immediately and remove from production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy