Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
UI:R applied because victim must visit the injected page; all other metrics match provided vector; PR:L reflects mandatory contributor authentication.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and including 5.0.31. This is due to insufficient input sanitization and output escaping in the Advanced_Search::content() render callback: the attribute value is filtered with wp_kses(), which strips disallowed HTML tags but does NOT escape HTML special characters such as double quotes in plain text, and the result is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with contributor-level privileges or higher (Author, Editor, Administrator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) scores 6.4 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a contributor-level WordPress account edits or creates a page containing the ultimate-post/advanced-search block and sets the moreResultsText attribute to a payload such as '" onmouseover="alert(document.cookie)' or an equivalent script injection string. Because the value bypasses wp_kses() sanitization without esc_attr() encoding, the double quote breaks out of the data-viewmoretext attribute context and the injected event handler or script tag is stored in page content. … |
| Remediation | A fix has been committed upstream as WordPress.org plugin changeset 3598669 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3598669%40ultimate-post&new=3598669%40ultimate-post); however, the exact patched release version is not independently confirmed from available data - site administrators should update to the latest available version of the Ultimate Post / PostX plugin beyond 5.0.31 and verify via the WordPress admin plugin page. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42520
GHSA-fmqh-3qcq-wcxg