Description
The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can run arbitrary scripts when a page containing the wpda_app shortcode is viewed
Action: Immediate Patch
AI Analysis

Impact

Authenticated contributors with WordPress access can inject malicious JavaScript into the wpda_app shortcode because the plugin fails to sanitize or escape user‑supplied attributes. This flaw creates a stored XSS vector that executes the payload in the browsers of any visitor who views the affected page, enabling session hijacking, defacement, or the execution of other malicious actions. The weakness is identified as CWE‑79 (Improper Neutralization of Input During Web Page Generation).

Affected Systems

The vulnerability exists in the WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards plugin from peterschulznl in all releases up to and including 5.5.63. Sites running these versions and permitting contributor‑level or higher users can be impacted; versions 5.5.64 and later have the issue fixed.

Risk and Exploitability

The CVSS v3 score of 6.4 indicates moderate severity, while the EPSS score of less than 1% reflects a presently low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authentication at the contributor level or higher, so the risk is constrained by the role permissions in place. Nonetheless, once an attacker has the necessary credentials, the stored XSS can be deployed immediately. Official remediation is to upgrade to 5.5.64 or newer, which restores proper input validation and output escaping; as a temporary measure, removing or disabling the wpda_app shortcode for contributors can mitigate exposure.

Generated by OpenCVE AI on April 15, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Data Access to version 5.5.64 or later to remove the unsanitized attribute handling.
  • If an upgrade cannot be performed immediately, temporarily disable the wpda_app shortcode for all contributor and lower roles, or remove it from pages until a fix is available.
  • Ensure that any remaining user‑supplied attributes in the plugin are properly escaped or filtered, following the guidelines for preventing CWE‑79 cross‑site scripting attacks.

Generated by OpenCVE AI on April 15, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Peterschulznl
Peterschulznl wp Data Access – No-code App Builder With Tables, Forms, Charts & Maps
Wordpress
Wordpress wordpress
Vendors & Products Peterschulznl
Peterschulznl wp Data Access – No-code App Builder With Tables, Forms, Charts & Maps
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Peterschulznl Wp Data Access – No-code App Builder With Tables, Forms, Charts & Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:34.281Z

Reserved: 2026-01-01T21:38:05.369Z

Link: CVE-2026-0557

cve-icon Vulnrichment

Updated: 2026-02-18T20:35:35.520Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:08.053

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses