Description
WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Netroics Blog Posts Grid plugin for WordPress. Because the post_title parameter is not properly sanitized, an editor can embed arbitrary JavaScript into the testimonial title field. When other authenticated users access the affected draft post, the injected script runs in their browsers, permitting cookie theft and session hijacking.

Affected Systems

This issue affects the Netroics Blog Posts Grid WordPress plugin version 1.0 installed on any WordPress site. Administrators should verify whether this plugin is active and if the installed version is 1.0, as that version contains the unpatched flaw.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, and because the EPSS score is not available and the vulnerability is not in the KEV catalogue, the anticipated exploitation likelihood is uncertain. However, the flaw requires only editor‑level permissions, which are commonly granted on many sites, making the attack vector relatively low‑barrier for an internal attacker. An attacker could use the stored XSS to steal session cookies, leading to account takeover of other site users.

Generated by OpenCVE AI on May 10, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Netroics Blog Posts Grid plugin to the latest patched version available from the vendor or repository.
  • If an immediate upgrade is not possible, restrict editor privileges so that users cannot edit the testimonial title field or limit the editor role to trusted staff only.
  • If the plugin is not essential for site functionality, consider deactivating or uninstalling it entirely to eliminate the vulnerability.

Generated by OpenCVE AI on May 10, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Netroics
Netroics netroics Blog Posts Grid
Wordpress
Wordpress wordpress
Vendors & Products Netroics
Netroics netroics Blog Posts Grid
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking.
Title WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Netroics Netroics Blog Posts Grid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T15:09:51.944Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50946

cve-icon Vulnrichment

Updated: 2026-05-11T15:09:48.596Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:32.400

Modified: 2026-05-10T13:16:32.400

Link: CVE-2022-50946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:58Z

Weaknesses