Skip to main content

Advanced IP Blocker EUVDEUVD-2026-32191

| CVE-2026-42739 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-p4rc-j472-qjfr
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:35 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: from n/a through <= 8.10.7.

AnalysisAI

DOM-based cross-site scripting in the Advanced IP Blocker WordPress plugin (IniLerm) affects all versions from initial release through 8.10.7, letting an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser when that victim is lured into triggering crafted input. Because the CVSS scope is marked changed (S:C), the injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible at 0.03% (10th percentile).

Technical ContextAI

Advanced IP Blocker is a WordPress plugin used to block or restrict site access by IP address. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the DOM-based variant, meaning untrusted data flows into a client-side sink (e.g., document write, innerHTML, or a JavaScript-driven page element) without proper neutralization, so the malicious payload is assembled and executed entirely in the browser rather than reflected by the server. As a WordPress plugin, the affected surface is the plugin's pages or admin/front-end interface rendered in the WordPress environment; the exact vulnerable parameter and sink are not detailed in the provided data. The CVSS vector (AV:N/UI:R) indicates the payload is delivered over the network but requires a user to interact with attacker-controlled content for the script to fire.

RemediationAI

No vendor-released patch identified at time of analysis - the provided data lists affected versions through 8.10.7 but does not specify a fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/advanced-ip-blocker/vulnerability/wordpress-advanced-ip-blocker-plugin-8-10-7-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org listing for an update newer than 8.10.7 and apply it as soon as one is published. As compensating controls until a patched version is available: deactivate and remove the Advanced IP Blocker plugin if its IP-blocking function can be served by another mechanism (trade-off: loss of IP-blocking capability); deploy a Web Application Firewall or WordPress security plugin (e.g., Patchstack's own vPatch, Wordfence) with an XSS ruleset to filter malicious payloads targeting the plugin's parameters (trade-off: rules may not cover the specific DOM sink and require tuning); and restrict access to the plugin's pages to trusted, authenticated administrators via access controls to shrink the pool of users who can be lured into triggering the payload (trade-off: reduces convenience and does not eliminate risk for those users).

Share

EUVD-2026-32191 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy