Description
The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from insufficient sanitization of the widget content field in the Gutenberg editor, allowing an authenticated user with Contributor level or higher to persist malicious scripts. When a page containing the injected content is viewed, the script executes in the visitor’s browser, exposing the site to data theft, session hijacking or defacement. This stored XSS flaw enables full client‑side compromise of any visitor accessing the affected page, leading to loss of confidentiality, integrity, and availability of the web application for all users.

Affected Systems

WordPress installations running the Dynamic Widget Content plugin version 1.3.6 or earlier are impacted. The plugin is authored by BrechtVDS and is typically installed as a WordPress plugin.

Risk and Exploitability

The flaw carries a medium CVSS score of 6.4, yet its exploit probability is very low, with an EPSS of less than 1% and no listing in the CISA KEV catalog. The attack requires authentication with at least Contributor privileges, meaning that users with this role can exploit it directly. Although the exploit window is narrow, the impact on all users who view the injected pages is severe, and the lack of public exploits does not preclude future development of zero‑day methods.

Generated by OpenCVE AI on April 15, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dynamic Widget Content plugin to the latest available version, ensuring any known patches are applied.
  • Restrict the Contributor role from adding or editing widget content, or remove the widget content field entirely for these users.
  • Implement additional input validation and output encoding on any custom widget content fields as a fallback defense.

Generated by OpenCVE AI on April 15, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Dynamic Widget Content <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:59.734Z

Reserved: 2026-01-20T21:37:10.146Z

Link: CVE-2026-1268

cve-icon Vulnrichment

Updated: 2026-02-05T15:11:50.391Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T07:16:17.620

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses