Description
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core's wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts.
Published: 2026-06-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The jQuery Hover Footnotes plugin for WordPress stores footnote qualifiers supplied by authenticated users with author level or higher. The plugin renders these qualifiers without proper sanitization or escaping, and the injected payload uses a '{{…}}' syntax that omits angle brackets. This bypasses WordPress core’s wp_kses_post() filtering, which only removes disallowed tags. Consequently, arbitrary JavaScript can be persisted and executed in the context of any visitor who views a page containing the modified footnote.

Affected Systems

WordPress sites that have installed the jQuery Hover Footnotes plugin version 1.4 or earlier. Any site with users who possess author or higher privileges that can edit posts or pages is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated author‑level access or higher; once an attacker can place a footnote qualifier, the stored JavaScript will execute for all users who view the affected page. The attack path is straightforward after privilege is attained and does not require additional setup.

Generated by OpenCVE AI on June 9, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the jQuery Hover Footnotes plugin to version 1.5 or later, which removes the vulnerable feature.
  • Restrict author‑level or higher users to trusted personnel or disable the footnote qualification functionality if it is not essential.
  • If an upgrade cannot be performed immediately, manually remove or neutralize the '{{…}}' syntax from existing footnotes and/or apply custom code to sanitize the footnote field.

Generated by OpenCVE AI on June 9, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Weaverlancegmailcom
Weaverlancegmailcom jquery Hover Footnotes
Wordpress
Wordpress wordpress
Vendors & Products Weaverlancegmailcom
Weaverlancegmailcom jquery Hover Footnotes
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core's wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts.
Title jQuery Hover Footnotes <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Weaverlancegmailcom Jquery Hover Footnotes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T15:13:13.489Z

Reserved: 2026-06-03T13:04:14.546Z

Link: CVE-2026-10738

cve-icon Vulnrichment

Updated: 2026-06-09T15:02:02.468Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:29.963

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-10738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:01Z

Weaknesses