Description
WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page.
Published: 2026-06-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored XSS flaw exists in the WP24 Domain Check 1.6.2 plugin, allowing authenticated attackers to inject scripts via the fieldnameDomain parameter in the plugin’s settings page. The injected JavaScript runs when administrators view the page, enabling potential defacement, phishing, or credential theft. The vulnerability leverages the plugin’s lack of input sanitization and does not require remote code execution but can compromise all data accessed by administrators.

Affected Systems

WordPress sites running the WP24 Domain Check plugin version 1.6.2 are affected. The vulnerability is specific to this plugin and its settings processing on options.php. Only installations with that plugin installed and an available fieldnameDomain input will be susceptible.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated; however, they only need access to an administrative account to exploit the XSS. Once injected, the script executes in the administrator’s browser session, so the risk is confined to users with elevated privileges unless broader credential compromise occurs.

Generated by OpenCVE AI on June 8, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP24 Domain Check plugin to the latest version that removes the vulnerable fieldnameDomain input or employs proper sanitization; if an update is not available, uninstall or disable the plugin entirely.
  • If disabling is not an option, remove or disable the fieldnameDomain parameter from the plugin’s code or configuration to prevent malicious input from being saved and displayed.
  • Implement a strong Content‑Security-Policy header on the WordPress site to limit script execution in admin pages and regularly audit administrator accounts for unusual activity.

Generated by OpenCVE AI on June 8, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page.
Title WordPress Plugin WP24 Domain Check 1.6.2 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T13:38:29.803Z

Reserved: 2026-06-08T01:49:11.020Z

Link: CVE-2021-47984

cve-icon Vulnrichment

Updated: 2026-06-08T13:38:25.948Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T02:16:22.503

Modified: 2026-06-08T14:59:44.750

Link: CVE-2021-47984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T03:30:16Z

Weaknesses