Skip to main content

Webmention (WordPress) EUVDEUVD-2026-40376

| CVE-2026-10513 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 Wordfence GHSA-q4c4-6mqr-j8hq
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated injection via the network endpoint (PR:N, AV:N, AC:L), but execution needs a moderator to open the edit screen (UI:R), with scope change into the admin browser context (S:C) and limited C/I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 19:22 vuln.today
CVE Published
Jun 30, 2026 - 18:32 nvd
HIGH 7.2

DescriptionCVE.org

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template without esc_attr() or esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a privileged user (moderator or administrator) opens the affected comment edit screen.

AnalysisAI

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Discover target running Webmention plugin
Delivery
Host page with malicious MF2 avatar/url markup
Exploit
Send unauthenticated webmention to target post
Install
Payload stored as pending comment metadata
C2
Admin opens comment edit screen
Execute
Script executes in privileged session
Impact
Hijack admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the target site to have the Webmention plugin (≤5.8.0) installed with inbound webmention receiving enabled, since the injection vector is the unauthenticated webmention REST endpoint processing MF2 'avatar' and 'url' author properties from an attacker-controlled source page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2) reflects network reachability, low complexity, no privileges, and a scope change into the admin browser context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a web page containing MF2 author markup whose 'avatar' or 'url' property carries an attribute-breakout XSS payload, then sends an unauthenticated webmention to a target WordPress post linking to that page. The plugin parses and stores the malicious metadata as a pending comment; when a moderator or administrator later opens that comment's edit screen, the script executes in their authenticated session, enabling actions such as creating a rogue admin or altering content. …
Remediation Upgrade the Webmention plugin to the latest version that includes the fix from WordPress plugin changeset 3583033 (https://plugins.trac.wordpress.org/changeset/3583033/webmention), which adds proper output escaping; the changeset confirms an upstream fix is available, but a specific released patched version number is not stated in the provided data, so confirm the fixed version on the plugin page before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the Webmention plugin (wp plugin deactivate webmention) and audit wp_comments for suspicious 'mf2' entries containing script tags. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy