Description
The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Published: 2026-03-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that allows injection of arbitrary scripts into pages viewed by administrators
Action: Immediate Patch
AI Analysis

Impact

The plugin contains a reflected XSS flaw in the 'day_from' and 'day_to' parameters. Unsanitized user input is reflected into the page output, letting an attacker inject malicious scripts. The injected code runs in the context of the victim’s browser, granting the attacker the ability to steal session data, deface the site, or insert further malicious content. Because the bug exists in all releases up to 0.1.2, any site running an affected version is at risk as soon as an attacker can lure an administrator to click a crafted link.

Affected Systems

The vulnerable component is the WordPress plugin itsukaita, maintained by kazunii, in versions 0.1.2 and earlier. Sites that have installed or upgraded to any of those releases are impacted. Vendors or site operators using older versions should consider them compromised until remedied.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate severity. No EPSS information is available, but the availability of the plugin on the public WordPress repository and the lack of authentication requirement make it likely that external attackers can exploit it. The vulnerability is not listed in the CISA KEV catalog. Adversaries typically deliver the exploit through a phishing or malicious link that, when followed by an administrator, triggers the reflected payload.

Generated by OpenCVE AI on March 21, 2026 at 06:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the itsukaita plugin to a version higher than 0.1.2, or remove the plugin if it is no longer required.
  • If an upgrade is not feasible, exclude the 'day_from' and 'day_to' parameters from any externally visible pages or block access to them through server configuration.
  • Apply a website‑wide Content Security Policy that disallows inline scripts and enforces strict isolation of script sources.

Generated by OpenCVE AI on March 21, 2026 at 06:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kazunii
Kazunii itsukaita
Wordpress
Wordpress wordpress
Vendors & Products Kazunii
Kazunii itsukaita
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Title itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Kazunii Itsukaita
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:07.185Z

Reserved: 2026-02-12T20:45:42.734Z

Link: CVE-2026-2427

cve-icon Vulnrichment

Updated: 2026-03-23T17:07:22.455Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:01.217

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-2427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:51Z

Weaknesses