Skip to main content

Structured Content CVE-2026-57763

| EUVDEUVD-2026-41318 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-xmfw-955c-7j22
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor account required (PR:L), victim must render content (UI:R), scope change reflects cross-context browser execution (S:C); availability impact removed as XSS does not affect service availability.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:29 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.

AnalysisAI

Cross-site scripting in the Structured Content WordPress plugin (versions <= 1.7.0) allows a Contributor-level authenticated user to inject malicious JavaScript that executes in the browser of higher-privileged users who subsequently view the crafted content. The CVSS scope change (S:C) confirms the payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized administrative actions within a WordPress installation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise Contributor account
Delivery
Inject XSS payload into Structured Content field
Exploit
Submit malicious content for admin review
Execution
Admin opens crafted content in authenticated browser
Persist
Malicious script executes in admin session
Impact
Exfiltrate session token or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid Contributor-level (or higher) account on the target WordPress installation, as confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) accurately reflects key risk constraints: the attack is network-accessible with low complexity (AV:N/AC:L), but requires a low-privilege authenticated account (PR:L) and victim interaction (UI:R), which together meaningfully reduce opportunistic exploitation potential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a Contributor-level account on the target WordPress site crafts a post or content block containing a malicious JavaScript payload within input fields handled by the Structured Content plugin and submits it. When an administrator or editor subsequently opens the content in their authenticated browser session to review or publish it, the injected script executes silently, allowing the attacker to exfiltrate session cookies, perform privileged WordPress actions on behalf of the victim, or redirect the administrator to an attacker-controlled site. …
Remediation Update the Structured Content plugin to a version above 1.7.0 per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/structured-content/vulnerability/wordpress-structured-content-plugin-1-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve); however, a specific confirmed patched release version is not independently verified from available data - check the WordPress plugin repository directly before upgrading to confirm a patched release exists. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57763 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy