Is WordPress affected by EUVD-2026-13991?

Organizations using all should be aware of moderate risk from CVE-2026-4069, a cross-site scripting vulnerability rated CVSS 6.1. Attackers could inject scripts to steal sessions or perform actions as authenticated users.

EUVD-2026-13991

| CVE-2026-4069 MEDIUM

2026-03-21 Wordfence

GHSA-pmq6-5285-2f6f

6.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 21, 2026 - 04:00 vuln.today

EUVD ID Assigned

Mar 21, 2026 - 04:00 euvd

EUVD-2026-13991

CVE Published

Mar 21, 2026 - 03:26 nvd

MEDIUM 6.1

Description

The Alfie - Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_option_page() function combined with insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject malicious web scripts that will be stored in the plugin's database and execute whenever a user accesses the page displaying the injected data, granted they can trick a site administrator into performing an action such as clicking on a link.

Analysis

The Alfie - Feed Plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'naam' parameter of the alfie_option_page() function, affecting all versions up to and including 1.2.1. The vulnerability stems from missing nonce validation combined with insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject malicious scripts that persist in the plugin's database and execute when users view affected pages. …

Remediation

Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +30

POC: 0

EUVD-2026-13991 vulnerability details – vuln.today

Back

EUVD-2026-13991

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-13991

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code