Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Author credentials required (PR:H), admin must view content (UI:R), scope change to admin context confirmed; availability impact not substantiated for standard stored XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.
AnalysisAI
Stored Cross-Site Scripting in the Simple URLs WordPress plugin (versions <= 151) allows authenticated author-level users to inject persistent malicious scripts into content rendered in the WordPress admin interface. The CVSS Scope:Changed metric indicates the injected payload executes in a security context beyond the attacker's own session - most likely the administrative dashboard viewed by higher-privileged users such as site administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum author-level credentials on the target WordPress installation (confirmed by PR:H in the CVSS vector - this is not a default-configuration unauthenticated attack). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 5.9 appropriately reflects the constrained exploitation path: PR:H requires the attacker to hold author-level WordPress credentials before any exploitation is possible, and UI:R requires a second privileged user to load the affected admin view. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with author credentials on a WordPress site injects a JavaScript payload (e.g., a cookie-stealing script pointing to an attacker-controlled server) into a URL title or label field within the Simple URLs plugin. When a site administrator subsequently navigates to the Simple URLs management page in the WordPress admin dashboard, the stored script executes silently in the admin's browser, exfiltrating the session cookie and granting the attacker full administrative control over the WordPress installation. |
| Remediation | Update the Simple URLs plugin to a version newer than 151 via the WordPress plugin dashboard or by checking the WordPress.org plugin repository for the latest release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Simple Urls
View allThe Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements
The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outputting them back in
Cross-Site Request Forgery (CSRF) vulnerability in Lasso Simple URLs plugin <= 120 versions. Rated high severity (CVSS 8
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lasso Simple URLs
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41317
GHSA-q8gg-w774-849h