Impact
The Webmention plugin for WordPress is vulnerable to stored Cross‑Site Scripting because it fails to sanitize MF2 author attributes. The plugin’s parser extracts the ‘avatar’ and ‘url’ properties from user‑supplied data and inserts them directly into HTML value attributes without escaping, allowing an attacker to embed JavaScript. An unauthenticated actor can craft a webmention and post it through the exposed REST endpoint; the malicious payload is stored and will run when a moderator or administrator opens the comment edit screen.
Affected Systems
WordPress installations that have the pfefferle:Webmention plugin at version 5.8.0 or earlier are affected. The flaw originates in the handling of MF2 author metadata and the edit‑comment‑form template.
Risk and Exploitability
The CVSS score of 7.2 signals a moderate to high risk. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet. The attack vector is remote, unauthenticated access via the webmention REST endpoint; exploitation requires a later privileged user to open the vulnerable interface. The stored payload remains until the plugin is updated or mitigated.
OpenCVE Enrichment