Description
The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via authenticated checkin_place_id input
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from insufficient input sanitization and output escaping when the checkin_place_id parameter is processed. Allowing authenticated attackers with Subscriber or higher privileges to embed arbitrary JavaScript results in stored XSS that executes whenever any user views the affected page. This can lead to session hijacking, credential theft, malicious redirects, or defacement of content, compromising the confidentiality and integrity of users’ sessions.

Affected Systems

WordPress sites running the Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. Versions up to and including 1.3.6 are affected. Any user who has Subscriber‑level access or higher on the WordPress installation can exploit the flaw.

Risk and Exploitability

The defect has a CVSS score of 6.4, indicating a moderate severity. The EPSS score for this vulnerability is not available, and it is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with Subscriber privileges, making the attack vector internal to the host site. An attacker can inject malicious scripts that are then executed for every user who visits the page, providing a high-impact vector for credential theft or session hijacking. While the need for an authenticated role limits broader exposure, the impact on user accounts warrants prompt remediation.

Generated by OpenCVE AI on April 18, 2026 at 08:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Youzify plugin to the latest version that removes the vulnerability.
  • If an update is not yet available, disable the checkin feature or restrict Subscriber+ roles from accessing it until a patch is applied.
  • Verify that all input handling elsewhere in the plugin is properly sanitized to prevent similar XSS issues, and consider enabling a security plugin that enforces output escaping.

Generated by OpenCVE AI on April 18, 2026 at 08:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-18T01:26:05.210Z

Reserved: 2026-01-28T19:07:17.909Z

Link: CVE-2026-1559

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T02:16:11.187

Modified: 2026-04-18T02:16:11.187

Link: CVE-2026-1559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses