Draft List

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-4006 MEDIUM This Month

The Simple Draft List WordPress plugin for Dartiss contains a Stored Cross-Site Scripting vulnerability in versions up to 2.6.2, caused by insufficient input sanitization and output escaping of the 'display_name' post meta field. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript via the {{author+link}} template tag when no author URL is present, which will execute whenever users visit pages containing the [drafts] shortcode. The vulnerability has a CVSS score of 6.4 with a network attack vector and low attack complexity, requiring only low-level privileges.

WordPress PHP XSS Draft List
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4006
EPSS 0% CVSS 6.4
MEDIUM This Month

The Simple Draft List WordPress plugin for Dartiss contains a Stored Cross-Site Scripting vulnerability in versions up to 2.6.2, caused by insufficient input sanitization and output escaping of the 'display_name' post meta field. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript via the {{author+link}} template tag when no author URL is present, which will execute whenever users visit pages containing the [drafts] shortcode. The vulnerability has a CVSS score of 6.4 with a network attack vector and low attack complexity, requiring only low-level privileges.

WordPress PHP XSS +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy