Skip to main content

Editorial Rating EUVDEUVD-2026-40251

| CVE-2026-12560 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 Wordfence GHSA-c3mc-8j5j-vh28
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

Administrator credentials required (PR:H) and specific post meta context adds complexity (AC:H); scope changes as XSS executes in victim browsers (S:C) with limited confidentiality and integrity impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 06:16 vuln.today
CVE Published
Jun 30, 2026 - 04:30 cve.org
MEDIUM 4.4

DescriptionCVE.org

The Editorial Rating - Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The WordPress unfiltered_html capability exemption does not apply here because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than in post_content or post_excerpt, meaning the restriction affects all administrators regardless of their unfiltered_html status.

AnalysisAI

Stored Cross-Site Scripting in the Editorial Rating - Product Review & Rating System WordPress plugin (versions ≤ 4.0.5) enables authenticated administrators to inject persistent JavaScript payloads via the 'Link URL' field, which execute in any site visitor's browser upon loading an affected review page. The attack exploits a WordPress-specific sanitization bypass: because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than post_content or post_excerpt, WordPress's unfiltered_html capability exemption does not apply, meaning the restriction affects all administrators regardless of their unfiltered_html status. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress administrator credentials
Delivery
Inject XSS payload into Link URL review field
Exploit
Payload persisted in _wpas_er_options post meta
Execution
WordPress sanitization pipeline bypassed
Persist
Victim browses affected review page
Impact
Malicious script executes in victim browser

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress administrator-level account on the target site (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.4 Medium (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) accurately reflects the constrained real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WordPress administrator credentials - through phishing, credential stuffing, or a rogue co-administrator - navigates to a post's Editorial Rating review metabox and enters a JavaScript payload (e.g., a cookie-stealing script) in the 'Link URL' field. The payload is saved via update_post_meta into _wpas_er_options, bypassing WordPress's post-content sanitization, and is then rendered unsanitized in the page template. …
Remediation No vendor-released patched version beyond 4.0.5 is confirmed in the available data - patch status should be verified directly against the WordPress plugin repository (https://wordpress.org/plugins/editorial-rating/) and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/26c63d73-6ce2-4b3a-b0d9-29f7d9b368d5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy