WordPress Plugin Vulnerabilities

Blog Filter < 1.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
blog-filter
Fixed in 1.7.7

References

CVE
CVE-2026-39517
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/18510b77-1c73-4f19-88e6-572936132d73

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (Medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
43215fbe-a46c-431e-b9a2-2b06a584cdd8

Timeline

Publicly Published
2026-02-11 (about 3 months ago)
Added
2026-05-07 (about 7 days ago)
Last Updated
2026-05-07 (about 7 days ago)

Other

Published
Title
Published
2022-01-18
Title
FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
Published
2021-10-18
Title
Client Invoicing by Sprout Invoices < 19.9.7 - Admin+ Stored Cross-Site Scripting
Published
2023-01-06
Title
Blog Designer – Post and Widget < 2.4.1 - Contributor+ Stored XSS via Shortcode
Published
2025-09-25
Title
Popup Maker < 1.21.0 - Contributor+ Stored XSS via title Parameter
Published
2023-10-16
Title
Ninja Forms < 3.6.34 - Admin+ Stored XSS