Skip to main content

Ultimate Post EUVDEUVD-2026-42520

| CVE-2026-13253 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-fmqh-3qcq-wcxg
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

UI:R applied because victim must visit the injected page; all other metrics match provided vector; PR:L reflects mandatory contributor authentication.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:42 vuln.today
CVE Published
Jul 09, 2026 - 06:52 nvd
MEDIUM 6.4

DescriptionCVE.org

The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and including 5.0.31. This is due to insufficient input sanitization and output escaping in the Advanced_Search::content() render callback: the attribute value is filtered with wp_kses(), which strips disallowed HTML tags but does NOT escape HTML special characters such as double quotes in plain text, and the result is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with contributor-level WordPress credentials
Delivery
Edit or create page with advanced-search block
Exploit
Inject XSS payload into moreResultsText attribute
Execution
Page saved with unescaped data-viewmoretext attribute value
Persist
Victim visits injected page
Impact
Injected JavaScript executes in victim's browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with contributor-level privileges or higher (Author, Editor, Administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) scores 6.4 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a contributor-level WordPress account edits or creates a page containing the ultimate-post/advanced-search block and sets the moreResultsText attribute to a payload such as '" onmouseover="alert(document.cookie)' or an equivalent script injection string. Because the value bypasses wp_kses() sanitization without esc_attr() encoding, the double quote breaks out of the data-viewmoretext attribute context and the injected event handler or script tag is stored in page content. …
Remediation A fix has been committed upstream as WordPress.org plugin changeset 3598669 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3598669%40ultimate-post&new=3598669%40ultimate-post); however, the exact patched release version is not independently confirmed from available data - site administrators should update to the latest available version of the Ultimate Post / PostX plugin beyond 5.0.31 and verify via the WordPress admin plugin page. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy