Skip to main content

Author Box WP Lens EUVDEUVD-2026-43347

| CVE-2026-57420 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-delivered stored XSS requires low-privilege account (PR:L) and active victim browsing (UI:R); S:C for cross-context script execution; A:N as XSS does not directly cause availability loss.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:23 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Netrr Author Box WP Lens author-box-for-divi allows Stored XSS.This issue affects Author Box WP Lens: from n/a through <= 2.1.5.

AnalysisAI

Stored cross-site scripting in the Author Box WP Lens WordPress plugin (versions through 2.1.5) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browsers of any user who views an affected page, including administrators. The CVSS scope change (S:C) reflects that the injected script runs in a different security context than where it was stored, meaning a contributor-level attacker can target higher-privileged victims browsing the same site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker gains low-privilege WordPress account
Delivery
Injects XSS payload into author box plugin field
Exploit
Payload persisted to WordPress database
Execution
Victim (e.g., admin) visits page rendering author box
Persist
Malicious script executes in victim's browser session
Impact
Attacker exfiltrates session tokens or performs privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with at minimum low-privilege access sufficient to write to author box fields managed by the plugin (PR:L per CVSS vector - typically Author or Contributor role). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) vector signals a realistic but constrained threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privilege WordPress account (Author or Contributor role) and edits their author profile or an author box widget field to include a JavaScript payload such as a cookie-stealing script. When a WordPress administrator later browses to any post page rendering that author box, the payload executes in the admin's browser session, exfiltrating their session cookie to an attacker-controlled server and enabling full administrative account takeover. …
Remediation Update the Author Box WP Lens plugin to a version above 2.1.5 if Netrr has released a patched build; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/author-box-for-divi/vulnerability/wordpress-author-box-wp-lens-plugin-2-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve for confirmation of the exact fixed version, as the current intelligence does not independently confirm a specific patched release number. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy