Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Contributor account required (PR:L), victim must render content (UI:R), scope change reflects cross-context browser execution (S:C); availability impact removed as XSS does not affect service availability.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.
AnalysisAI
Cross-site scripting in the Structured Content WordPress plugin (versions <= 1.7.0) allows a Contributor-level authenticated user to inject malicious JavaScript that executes in the browser of higher-privileged users who subsequently view the crafted content. The CVSS scope change (S:C) confirms the payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized administrative actions within a WordPress installation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to possess a valid Contributor-level (or higher) account on the target WordPress installation, as confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) accurately reflects key risk constraints: the attack is network-accessible with low complexity (AV:N/AC:L), but requires a low-privilege authenticated account (PR:L) and victim interaction (UI:R), which together meaningfully reduce opportunistic exploitation potential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains a Contributor-level account on the target WordPress site crafts a post or content block containing a malicious JavaScript payload within input fields handled by the Structured Content plugin and submits it. When an administrator or editor subsequently opens the content in their authenticated browser session to review or publish it, the injected script executes silently, allowing the attacker to exfiltrate session cookies, perform privileged WordPress actions on behalf of the victim, or redirect the administrator to an attacker-controlled site. … |
| Remediation | Update the Structured Content plugin to a version above 1.7.0 per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/structured-content/vulnerability/wordpress-structured-content-plugin-1-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve); however, a specific confirmed patched release version is not independently verified from available data - check the WordPress plugin repository directly before upgrading to confirm a patched release exists. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Structured Content
View allDeserialization of Untrusted Data vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc.5.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gordon Böhme, Anto
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gordon Böhme, Anto
The Structured Content (JSON-LD) #wpsc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin'
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41318
GHSA-xmfw-955c-7j22