Skip to main content

Upsolution Core EUVDEUVD-2026-15604

| CVE-2026-24983 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-jjpq-g8xj-hcf8
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15604
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.This issue affects UpSolution Core: from n/a through <= 8.41.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in UpSolution Core plugin versions through 8.41, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the UpSolution Core WordPress plugin (CPE: cpe:2.3:a:upsolution:upsolution_core), enabling attackers to steal session tokens, perform actions on behalf of users, or redirect users to malicious sites through crafted URLs. No CVSS score, EPSS probability, or KEV status is currently available, though Patchstack has confirmed and documented this as a reflected XSS vulnerability.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic input validation and output encoding failure. The UpSolution Core plugin (identified via CPE cpe:2.3:a:upsolution:upsolution_core:*:*:*:*:*:*:*:*) fails to properly sanitize user-supplied input before reflecting it back in HTML responses. Reflected XSS occurs when an attacker crafts a malicious URL containing unencoded JavaScript payload that the application echoes directly into the page source without proper HTML entity encoding, allowing the browser to execute the script in the victim's security context. This is a server-side input handling vulnerability affecting the WordPress plugin infrastructure.

RemediationAI

Update UpSolution Core to a version greater than 8.41 as soon as a patched release becomes available; consult the vendor advisory and Patchstack database for patch availability and release notes. In the interim, implement output encoding on all user-supplied input reflected in HTML responses using WordPress escaping functions (e.g., esc_html(), esc_url(), wp_kses_post()) and apply Content Security Policy (CSP) headers with strict-dynamic to mitigate XSS payload execution. Additionally, restrict plugin functionality to trusted administrators and users, disable plugin auto-updates if it may introduce instability, and monitor server logs and user activity for signs of exploitation. Organizations should reference the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/us-core/vulnerability/wordpress-upsolution-core-plugin-8-41-reflected-cross-site-scripting-xss-vulnerability for official guidance from the security research community.

Share

EUVD-2026-15604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy