Skip to main content

Wp Latest Posts

1 CVEs product

Monthly

CVE-2026-9620 MEDIUM This Month

Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.

XSS WordPress Wp Latest Posts
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.

XSS WordPress Wp Latest Posts
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy