Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-v83h-rhjw-9wgp

Опубликовано: 24 янв. 2026
Источник: github
Github: Не прошло ревью
CVSS3: 4.4

Описание

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Ссылки

EPSS

Процентиль: 16%
0.00052
Низкий

4.4 Medium

CVSS3

CVE ID

CVE-2026-1266

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2026-1266

CVSS3: 4.4
nvd
14 дней назад

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

EPSS

Процентиль: 16%
0.00052
Низкий

4.4 Medium

CVSS3

CVE ID

CVE-2026-1266

Дефекты

CWE-79