Description
The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'a' parameter in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-06-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The rognone WordPress plugin is vulnerable to a reflected cross‑site scripting flaw in versions up to and including 0.6.2. A lack of proper input sanitization and output escaping on the 'a' parameter lets an unauthenticated attacker inject arbitrary JavaScript that runs in the victim's browser when they visit a crafted link. This can result in cookie theft, session hijacking, defacement, or launch of further client‑side attacks. The weakness is identified as CWE‑79.

Affected Systems

WordPress sites that have the rognone plugin installed, specifically version 0.6.2 or earlier, are affected. Sites running any older revision of the plugin fall under the same risk.

Risk and Exploitability

The CVSS score of 6.1 rates this vulnerability as moderate; its EPSS score is not currently available, and it is not listed in the CISA KEV catalog. Exploitation requires no privileged access; an attacker can simply send a malicious URL to a victim who interacts with the link. Because the flaw is client‑side, the attack is limited to the victim's browser, but the impact on the user can be significant and widespread if the site is trafficked. Administrators should treat this as a moderate‑to‑high risk due to the ease of exploitation and potential for post‑compromise actions.

Generated by OpenCVE AI on June 2, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the rognone plugin to a version newer than 0.6.2.
  • If upgrading is not possible, modify the plugin to sanitize and escape the 'a' parameter or remove it entirely.
  • Disable or uninstall the plugin if it is not required.
  • Apply a Content Security Policy that blocks inline script execution.

Generated by OpenCVE AI on June 2, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Federicocarrara
Federicocarrara rognone
Wordpress
Wordpress wordpress
Vendors & Products Federicocarrara
Federicocarrara rognone
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'a' parameter in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title rognone <= 0.6.2 - Reflected Cross-Site Scripting via 'a' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Federicocarrara Rognone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T10:44:35.069Z

Reserved: 2026-01-26T17:57:57.307Z

Link: CVE-2026-1451

cve-icon Vulnrichment

Updated: 2026-06-02T10:44:29.827Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T09:16:15.563

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-1451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:51Z

Weaknesses