Webmention
Monthly
Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.
Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.