Skip to main content

Perfmatters EUVDEUVD-2026-39708

| CVE-2026-56047 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-77r4-g858-h4qm
7.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable reflected XSS needs no auth (PR:N) but requires the victim to open a crafted link (UI:R); script crossing into the admin origin justifies S:C with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:01 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.3 versions.

AnalysisAI

Reflected cross-site scripting in the Perfmatters WordPress plugin (versions 2.6.3 and earlier) allows unauthenticated attackers to inject malicious script that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that successful exploitation can affect resources beyond the vulnerable component, such as an authenticated administrator's session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Lure admin to click link
Exploit
Payload reflected without sanitization
Execution
Script executes in admin browser context
Impact
Hijack session or act as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) but does require user interaction (UI:R): a victim - most impactfully a logged-in WordPress administrator - must open an attacker-crafted link to the affected site so the reflected payload is rendered. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates a network-reachable, low-complexity, unauthenticated attack that nevertheless requires user interaction (the victim must click or load a crafted link), which is the principal limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target WordPress site containing a malicious script payload in a parameter handled by Perfmatters, then delivers it to a logged-in administrator via phishing email, comment, or chat. When the administrator opens the link, the reflected script executes in their browser within the site's origin, allowing the attacker to steal the session, perform actions as the admin, or stage further compromise. …
Remediation Upgrade Perfmatters to the vendor's fixed release above 2.6.3; an exact patched version number was not included in the provided data, so confirm the current secure version directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/perfmatters/vulnerability/wordpress-perfmatters-plugin-2-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) and the plugin's WordPress.org changelog before applying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Perfmatters and verify installed versions against 2.6.3. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy