Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-delivered stored XSS requires Contributor auth (PR:L) and victim page view (UI:R); scope changes to victim browser (S:C) with limited C/I impact and no availability impact.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks.
AnalysisAI
Stored Cross-Site Scripting in the AI Share & Summarize WordPress plugin (all versions before 2.0.4) allows any user holding a Contributor role or above to inject persistent malicious JavaScript via unsanitized shortcode attributes rendered on pages. When a higher-privileged user such as an Administrator subsequently views the affected page, the payload executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to possess at minimum a WordPress Contributor-level account on the target site, either obtained through open user registration, phishing, or credential compromise. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.4 (Medium) accurately captures the constrained prerequisites: while the attack is network-accessible and low-complexity, it requires at minimum a Contributor-level authenticated session (PR:L) and a victim user to view the injected page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a Contributor-level account on a vulnerable WordPress site running AI Share & Summarize before 2.0.4, then crafts a post embedding a shortcode with a malicious JavaScript payload in one of its attributes. Once the post is published or saved, any Administrator or Editor who views the page triggers execution of the script in their browser - a publicly available proof-of-concept lowers the technical barrier for constructing this payload - potentially resulting in session cookie theft and full site takeover. |
| Remediation | Update the AI Share & Summarize WordPress plugin to version 2.0.4 or later, which the vendor has confirmed includes the fix for improper shortcode attribute sanitization and escaping. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38692
GHSA-3xqv-hqp3-38hq