Description
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated contributors to inject persistent scripts into pages
Action: Patch Now
AI Analysis

Impact

The Draft List WordPress plugin contains a stored Cross‑Site Scripting flaw caused by inadequate sanitization of user‑supplied attributes used in its 'drafts' shortcode. Attackers who have contributor‑level or higher permissions can insert malicious JavaScript that is persisted in the page content. When any user views the affected page, the injected script runs in that user's browser, potentially allowing session hijacking, defacement, or theft of sensitive data. This is a CWE‑79 vulnerability and represents a moderate‑to‑high threat to the confidentiality and integrity of visitor data.

Affected Systems

The vulnerability impacts any WordPress site running the Draft List plugin version 2.6 or earlier from vendor dartiss. Sites using older releases that have not been upgraded remain susceptible.

Risk and Exploitability

The CVSS score is 6.4 indicating a moderate severity. EPSS is below 1 %, showing a very low probability of exploitation at this time. The vulnerability is not listed in CISA KEV and does not provide a remote code execution path; however, it can be abused by any authenticated contributor member. The attack vector requires the attacker to have contributor or higher privileges to insert or edit content containing the malicious shortcode. Success is straightforward once permissions are owned, and the injected script will execute automatically for all visitors to the affected page.

Generated by OpenCVE AI on April 22, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Draft List plugin to a version newer than 2.6, as the stored XSS issue has been addressed in later releases.
  • If an upgrade cannot be performed immediately, temporarily disable the plugin or restrict contributor‑level users from using the 'drafts' shortcode until the fix is applied.
  • Implement a site‑wide Content Security Policy that blocks inline scripts or rewrites pages to prevent execution of injected JavaScript, reducing the impact if the vulnerability remains.

Generated by OpenCVE AI on April 22, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30313 The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 22 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 20 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Draft List <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:27.940Z

Reserved: 2025-09-09T14:33:01.772Z

Link: CVE-2025-10181

cve-icon Vulnrichment

Updated: 2025-09-22T15:11:42.927Z

cve-icon NVD

Status : Deferred

Published: 2025-09-20T05:15:35.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses