Skip to main content

Simple URLs CVE-2026-57762

| EUVDEUVD-2026-41317 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-q8gg-w774-849h
5.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
4.8 MEDIUM

Author credentials required (PR:H), admin must view content (UI:R), scope change to admin context confirmed; availability impact not substantiated for standard stored XSS.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:29 vuln.today

DescriptionCVE.org

Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.

AnalysisAI

Stored Cross-Site Scripting in the Simple URLs WordPress plugin (versions <= 151) allows authenticated author-level users to inject persistent malicious scripts into content rendered in the WordPress admin interface. The CVSS Scope:Changed metric indicates the injected payload executes in a security context beyond the attacker's own session - most likely the administrative dashboard viewed by higher-privileged users such as site administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Acquire author-level WordPress credentials
Delivery
Inject XSS payload into Simple URLs field
Exploit
Payload stored in database
Execution
Admin navigates to Simple URLs admin page
Persist
Malicious script executes in admin browser
Impact
Exfiltrate admin session token

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum author-level credentials on the target WordPress installation (confirmed by PR:H in the CVSS vector - this is not a default-configuration unauthenticated attack). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 5.9 appropriately reflects the constrained exploitation path: PR:H requires the attacker to hold author-level WordPress credentials before any exploitation is possible, and UI:R requires a second privileged user to load the affected admin view. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with author credentials on a WordPress site injects a JavaScript payload (e.g., a cookie-stealing script pointing to an attacker-controlled server) into a URL title or label field within the Simple URLs plugin. When a site administrator subsequently navigates to the Simple URLs management page in the WordPress admin dashboard, the stored script executes silently in the admin's browser, exfiltrating the session cookie and granting the attacker full administrative control over the WordPress installation.
Remediation Update the Simple URLs plugin to a version newer than 151 via the WordPress plugin dashboard or by checking the WordPress.org plugin repository for the latest release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy