Description
The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template without esc_attr() or esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a privileged user (moderator or administrator) opens the affected comment edit screen.
Published: 2026-06-30
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Webmention plugin for WordPress is vulnerable to stored Cross‑Site Scripting because it fails to sanitize MF2 author attributes. The plugin’s parser extracts the ‘avatar’ and ‘url’ properties from user‑supplied data and inserts them directly into HTML value attributes without escaping, allowing an attacker to embed JavaScript. An unauthenticated actor can craft a webmention and post it through the exposed REST endpoint; the malicious payload is stored and will run when a moderator or administrator opens the comment edit screen.

Affected Systems

WordPress installations that have the pfefferle:Webmention plugin at version 5.8.0 or earlier are affected. The flaw originates in the handling of MF2 author metadata and the edit‑comment‑form template.

Risk and Exploitability

The CVSS score of 7.2 signals a moderate to high risk. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet. The attack vector is remote, unauthenticated access via the webmention REST endpoint; exploitation requires a later privileged user to open the vulnerable interface. The stored payload remains until the plugin is updated or mitigated.

Generated by OpenCVE AI on June 30, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Webmention plugin to the latest version that includes a fix for this XSS issue.
  • If a patch is not promptly applied, disable the Webmention REST endpoint or block its access to prevent further malicious MF2 submissions.
  • Implement a Content Security Policy or a web application firewall that restricts script execution on the comment edit screen, blocking injected code until the plugin is updated.

Generated by OpenCVE AI on June 30, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Pfefferle
Pfefferle webmention
Wordpress
Wordpress wordpress
Vendors & Products Pfefferle
Pfefferle webmention
Wordpress
Wordpress wordpress

Tue, 30 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template without esc_attr() or esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a privileged user (moderator or administrator) opens the affected comment edit screen.
Title Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' Author Properties
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Pfefferle Webmention
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-30T18:32:27.304Z

Reserved: 2026-06-01T04:52:29.224Z

Link: CVE-2026-10513

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T00:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')