WordPress Plugin Vulnerabilities

User Submitted Posts < 20260608 - Unauthenticated Stored XSS via Author Name

Description

The plugin does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.

Proof of Concept

Affects Plugins

Fixed in 20260608

References

Classification

Type
XSS
CWE
CVSS

Miscellaneous

Original Researcher
dangnosuy
Submitter
dangnosuy
Submitter website
Verified
Yes

Timeline

Publicly Published
2026-06-10 (about 21 days ago)
Added
2026-06-10 (about 20 days ago)
Last Updated
2026-06-30 (about 9 hours ago)

Other