Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated injection via the network endpoint (PR:N, AV:N, AC:L), but execution needs a moderator to open the edit screen (UI:R), with scope change into the admin browser context (S:C) and limited C/I impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template without esc_attr() or esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a privileged user (moderator or administrator) opens the affected comment edit screen.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target site to have the Webmention plugin (≤5.8.0) installed with inbound webmention receiving enabled, since the injection vector is the unauthenticated webmention REST endpoint processing MF2 'avatar' and 'url' author properties from an attacker-controlled source page. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2) reflects network reachability, low complexity, no privileges, and a scope change into the admin browser context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a web page containing MF2 author markup whose 'avatar' or 'url' property carries an attribute-breakout XSS payload, then sends an unauthenticated webmention to a target WordPress post linking to that page. The plugin parses and stores the malicious metadata as a pending comment; when a moderator or administrator later opens that comment's edit screen, the script executes in their authenticated session, enabling actions such as creating a rogue admin or altering content. … |
| Remediation | Upgrade the Webmention plugin to the latest version that includes the fix from WordPress plugin changeset 3583033 (https://plugins.trac.wordpress.org/changeset/3583033/webmention), which adds proper output escaping; the changeset confirms an upstream fix is available, but a specific released patched version number is not stated in the provided data, so confirm the fixed version on the plugin page before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable the Webmention plugin (wp plugin deactivate webmention) and audit wp_comments for suspicious 'mf2' entries containing script tags. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40376
GHSA-q4c4-6mqr-j8hq