Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated reflected XSS needs no privileges (PR:N) but requires victim interaction (UI:R); scope change (S:C) as script runs in browser context, low C/I impact and no availability impact (A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in WP Debugging <= 2.12.2 versions.
AnalysisAI
Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the WP Debugging plugin (version 2.12.2 or earlier) to be installed and active on the target WordPress site, and it requires victim user interaction (UI:R) - the attacker must lure a user, ideally an authenticated administrator, into clicking a crafted link or loading a malicious request that triggers the reflected payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed toward moderate priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or request to a vulnerable WP Debugging endpoint that embeds malicious JavaScript in a reflected parameter, then delivers it to a logged-in administrator via phishing email, forum post, or a malicious link. When the victim opens the link, the script executes in their authenticated WordPress session and can steal session cookies, create rogue admin accounts, or perform actions on the victim's behalf. … |
| Remediation | No vendor-released patch version was identified at time of analysis in the provided data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-debugging/vulnerability/wordpress-wp-debugging-plugin-2-12-2-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org page for a release newer than 2.12.2 and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations running WP Debugging plugin versions ≤2.12.2; disable the plugin immediately and remove from production environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Debugging
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41349
GHSA-v8f6-4wvm-6rp8