Skip to main content

Ghost Kit CVE-2026-57651

| EUVDEUVD-2026-39766 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-m7v9-h4q3-64mg
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor auth required (PR:L), admin must view content (UI:R), scope changes to victim browser (S:C); XSS carries no direct availability impact so A:N.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:10 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.

AnalysisAI

Cross-site scripting in the Ghost Kit WordPress plugin (versions ≤ 3.6.0) allows authenticated Contributor-level users to inject and store malicious JavaScript payloads via plugin block fields or parameters. When a higher-privileged user - such as an editor or administrator - views the affected content, the attacker's script executes in that user's browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Contributor account
Delivery
Author post with Ghost Kit block containing XSS payload
Exploit
Publish or submit content
Execution
Admin browses to affected page
Persist
Malicious script executes in admin browser
Impact
Steal session token or perform privileged admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an active, authenticated Contributor-level (or higher) WordPress account on the target site - this is the primary gating condition and the most significant limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is grounded in a network-exploitable, low-complexity attack path (AV:N/AC:L) that requires Contributor-level authentication (PR:L) and victim interaction (UI:R), with a scope change (S:C) reflecting cross-user browser impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a Contributor-level WordPress account on the target site crafts a post or page embedding a Ghost Kit block with a malicious JavaScript payload injected into an unsanitized field. When a site administrator or editor views the published content - for example, during a routine content review - the script executes silently in their browser, exfiltrating their session cookie to an attacker-controlled endpoint. …
Remediation Site administrators should update the Ghost Kit plugin to the latest available version via the WordPress plugin repository, verifying the installed version exceeds 3.6.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy