WordPress Plugin Vulnerabilities

DukaPress <= 3.2.4 - Reflected XSS

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Affects Plugins

Plugin icon
dukapress
No known fix

References

CVE
CVE-2026-2466

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Vuln Seeker Cyber Security Team
Submitter
Vuln Seeker Cyber Security Team
Submitter website
https://vulnseeker.org/
Verified
Yes
WPVDB ID
2843e8fe-0c02-48ee-ada3-f1c3d1ee73eb

Timeline

Publicly Published
2026-02-18 (about 21 days ago)
Added
2026-02-18 (about 20 days ago)
Last Updated
2026-02-18 (about 20 days ago)

Other

Published
Title
Published
2023-01-26
Title
Bootstrap Shortcodes <= 3.4.0 - Contributor+ Stored XSS via Shortcode
Published
2022-02-25
Title
Contact Form X < 2.4.1 - Reflected Cross-Site Scripting
Published
2024-08-19
Title
The Plus Addons for Elementor < 5.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via TP Page Scroll Widget
Published
2024-03-28
Title
WP-CRM System < 3.2.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2014-08-01
Title
Pinboard 1.0.6 - includes/theme-options.php tab Parameter XSS