Skip to main content

Modula PRO CVE-2026-57426

| EUVDEUVD-2026-41363 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-x2v5-rp8m-cc4j
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS (PR:N, AV:N, AC:L) requires victim interaction (UI:R) and executes across a trust boundary (S:C) with browser-scoped Low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:18 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Modula - PRO <= 2.10.8 versions.

AnalysisAI

Cross-site scripting in the Modula PRO WordPress gallery plugin (versions through 2.10.8) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view or interact with attacker-influenced content. Reported by Patchstack and rated CVSS 7.1 with a scope change, the flaw requires user interaction but no authentication; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious script payload
Delivery
Deliver via link or plugin input to victim
Exploit
Victim loads Modula PRO page (UI:R)
Execution
Injected JavaScript executes in browser
Impact
Hijack session or perform actions as user

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) but does require victim user interaction (UI:R) - such as clicking a crafted link or viewing a page containing the injected payload - against a site running Modula PRO version 2.10.8 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L yields 7.1 (High): network-reachable, low complexity, and unauthenticated (PR:N), but exploitation is gated by required user interaction (UI:R) and impact is limited to Low across confidentiality, integrity, and availability - consistent with browser-context script execution rather than server compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or submits input that carries a malicious JavaScript payload into a Modula PRO-rendered page and lures a logged-in administrator or site visitor to open it (satisfying the UI:R requirement). When the victim's browser renders the unsanitized content, the script runs in their session - potentially stealing cookies, forging admin actions, or redirecting the user. …
Remediation Upgrade Modula PRO to the first fixed release above version 2.10.8 as published by the vendor; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/modula/vulnerability/wordpress-modula-pro-plugin-2-10-8-cross-site-scripting-xss-vulnerability) and the vendor's changelog for the exact patched version, since no specific fix version is confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: scan all WordPress installations to identify deployed instances of Modula PRO v2.10.8 or earlier; immediately deactivate and remove affected plugin versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy