Skip to main content

WP Latest Posts CVE-2026-9620

| EUVDEUVD-2026-38684 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Wordfence GHSA-4mxp-2cfv-x3f6
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS still requires victim page access (UI:R); author-level auth needed (PR:L); scope changes to victim browser (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:56 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 6.4

DescriptionCVE.org

The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field() and loop() functions, which extract the raw src attribute value from <img> tags within post_content using a regular expression and then reconstruct new <img> elements or CSS background-image declarations by directly concatenating the unescaped value - bypassing WordPress's kses filtering entirely. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress author-level credential
Delivery
Publish post with malicious img src payload
Exploit
Plugin field() or loop() extracts unescaped src via regex
Install
Payload injected into rendered HTML or CSS on live page
C2
Victim visits injected page
Execute
Script executes in victim browser context
Impact
Exfiltrate session cookies or hijack admin session

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum author-level privileges on the target installation - subscriber or unauthenticated users cannot publish or edit posts and therefore cannot plant the payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) scores 6.4 Medium, but the UI:N designation is inconsistent with the CVE description, which states that exploitation occurs 'whenever a user accesses an injected page' - passive victim navigation satisfies UI:R under standard CVSS 3.1 methodology, which would reduce the score to approximately 5.4 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a WordPress author account on the target site creates or edits a post, embedding a crafted img tag with a JavaScript payload in the src attribute - for example, src set to a value containing an onerror handler that exfiltrates document.cookie to an attacker-controlled endpoint. When the WP Latest Posts plugin renders any page that invokes the field() or loop() functions against that post's content, the plugin extracts and directly injects the unescaped src value into the output HTML, delivering the stored payload to every subsequent visitor. …
Remediation No confirmed patched version is identified in the available intelligence data - all provided references point exclusively to the 5.0.11 tag in the WordPress Trac repository, with no newer release confirmed as containing a fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy