Skip to main content

Webmention

1 CVEs product

Monthly

CVE-2026-10513 HIGH This Week

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.

WordPress XSS Webmention
NVD
CVSS 3.1
7.2
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.

WordPress XSS Webmention
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy