Description
The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-01-14
Score: 6.1 Medium
EPSS: 1.1% Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The List Site Contributors plugin for WordPress has a reflected cross‑site scripting vulnerability that arises when the alpha parameter is used without proper sanitization or escaping. An unauthenticated attacker can create a URL with malicious payload in that parameter, which is reflected in the page output and executed in the victim’s browser when the link is visited.

Affected Systems

This flaw affects the mallsop List Site Contributors plugin for WordPress in all releases up to and including version 1.1.8. Any site that has installed a vulnerable version remains at risk until the plugin is upgraded.

Risk and Exploitability

The CVSS base score is 6.1, placing the issue in the moderate range. The EPSS score of 1 % suggests a relatively low probability of exploitation in the wild. The plugin is not listed in CISA’s KEV catalog. Exploitation would require the attacker to entice a user to click a crafted link that contains the vulnerable alpha parameter, after which the reflected script runs in the context of the user’s session.

Generated by OpenCVE AI on April 18, 2026 at 16:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the List Site Contributors plugin to a version newer than 1.1.8.
  • Deploy a WAF rule that blocks or sanitizes requests containing the alpha parameter with script characters, preventing malicious payloads from reaching the application.
  • Add a strict Content‑Security‑Policy response header that disallows inline scripts or limits script sources to trusted origins, which mitigates the impact of any reflected scripts until the plugin is patched.

Generated by OpenCVE AI on April 18, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title List Site Contributors <= 1.1.8 - Reflected Cross-Site Scripting via alpha
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:41.848Z

Reserved: 2026-01-04T20:45:34.251Z

Link: CVE-2026-0594

cve-icon Vulnrichment

Updated: 2026-01-14T15:45:28.159Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:54.893

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses