Description
Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Immediate Patch
AI Analysis

Impact

The Simple XML Sitemap plugin for WordPress is vulnerable to a Cross‑Site Request Forgery weakness that allows an attacker to store malicious script code in the site’s database. This stored XSS can execute when an authenticated administrator or a visitor views the affected page, potentially leading to session hijacking, defacement, or credential theft. The weakness is classified as CWE‑352 and reflects the lack of proper CSRF protection for inputs that later are reinjected into the page without sanitization.

Affected Systems

WordPress sites using the gregmolnar Simple XML Sitemap plugin version 1.3 or earlier are affected. No specific version numbers are provided beyond the major release threshold; any deployment of the plugin prior to upgrading past 1.3 is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no publicly known exploit code. An attacker would need to get the target to trigger the CSRF request, which could be achieved via a crafted link or malicious email; once the XSS payload is stored, it can affect any page that loads the vulnerable data.

Generated by OpenCVE AI on April 16, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple XML Sitemap plugin to a version newer than 1.3, or disable and remove the plugin if it is no longer required.
  • Restrict access to the WordPress admin area to trusted users only and log out after finishing administrative tasks to limit the surface area for CSRF attacks.
  • Implement a CSRF protection measure such as adding a nonce to the plugin’s form submissions or sanitizing any user‑supplied data before storing it to eliminate the stored XSS vector.

Generated by OpenCVE AI on April 16, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gregmolnar
Gregmolnar simple Xml Sitemap
Wordpress
Wordpress wordpress
Vendors & Products Gregmolnar
Gregmolnar simple Xml Sitemap
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3.
Title WordPress Simple XML Sitemap plugin <= 1.3 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References

Subscriptions

Gregmolnar Simple Xml Sitemap
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:48:28.925Z

Reserved: 2026-01-07T12:21:24.563Z

Link: CVE-2026-22355

cve-icon Vulnrichment

Updated: 2026-01-27T20:32:40.591Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:31.727

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses