Skip to main content

Loops & Logic CVE-2026-57391

| EUVDEUVD-2026-43464 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Stored XSS requires low-privilege injection (PR:L) and victim page view (UI:R); scope changes to browser context (S:C); no direct availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:27 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3.

AnalysisAI

Stored cross-site scripting in the Tangible Loops & Logic WordPress plugin (versions through 4.2.3) allows a low-privileged authenticated user to inject persistent malicious scripts into web pages that execute in the browsers of site visitors or administrators. The scope change (S:C in CVSS) confirms the payload escapes the injection context and executes in a victim's browser session, enabling session hijacking, credential theft, or malicious redirects. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged WordPress account
Delivery
Inject XSS payload into Loops & Logic template field
Exploit
Payload stored in database
Execution
Victim administrator loads affected page
Persist
Malicious script executes in admin browser
Impact
Steal session cookie or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress account with at minimum contributor or author-level privileges (PR:L per CVSS vector) on the target site - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L accurately characterizes the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a contributor-level WordPress account on a site running Loops & Logic 4.2.3 or earlier. They craft a post or template fragment containing a malicious script payload embedded in a plugin-processed field, submit it, and the payload is stored in the database. …
Remediation Update the Loops & Logic plugin to the version released after 4.2.3 that addresses this XSS issue - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tangible-loops-and-logic/vulnerability/wordpress-loops-logic-plugin-4-2-3-cross-site-scripting-xss-vulnerability for the confirmed patched version, as an exact fix version is not independently confirmed from the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy