Description
The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Update
AI Analysis

Impact

The Pz‑LinkCard plugin for WordPress allows authenticated users with Contributor-level access or higher to store malicious scripts in the 'blogcard' shortcode attributes. Because the plugin fails to properly sanitise or escape these attributes before rendering, the injected scripts are persisted in the database and executed automatically whenever a user loads a page that contains the shortcode, leading to cross‑site scripting that can compromise user sessions or deface content. This weakness aligns with CWE‑79.

Affected Systems

WordPress sites that have installed the Pz‑LinkCard plugin, poporon:Pz‑LinkCard, in any version up to and including 2.5.8.1. The vulnerability exists in all releases prior to that version and affects any site that deploys the shortcode. Exact affected releases include all WordPress installations using 2.5.8.1 or earlier.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate risk level. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated with Contributor or higher privileges, so public exploitation requires initial compromise or an existing account. Nonetheless, the stored nature of the flaw means that once an attacker injects code, it will continue to affect every visitor to the affected page until the content is removed or the plugin is updated. Therefore, sites using the vulnerable version should treat this as a priority fix.

Generated by OpenCVE AI on April 18, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pz‑LinkCard plugin to the latest available release that corrects input validation and output escaping for the 'blogcard' shortcode.
  • If an update is not possible immediately, remove or delete any existing posts or pages that use the 'blogcard' shortcode with potentially malicious attributes, or disable the shortcode entirely.
  • Deploy a site‑wide output escaping strategy or use a security plugin that blocks stored XSS, and audit existing content for leftover scripts.

Generated by OpenCVE AI on April 18, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Popozure
Popozure pz-linkcard
Wordpress
Wordpress wordpress
Vendors & Products Popozure
Popozure pz-linkcard
Wordpress
Wordpress wordpress

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Popozure Pz-linkcard
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-20T13:36:06.124Z

Reserved: 2026-02-12T22:01:50.881Z

Link: CVE-2026-2434

cve-icon Vulnrichment

Updated: 2026-04-20T13:32:37.396Z

cve-icon NVD

Status : Received

Published: 2026-04-17T23:16:12.167

Modified: 2026-04-17T23:16:12.167

Link: CVE-2026-2434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:26Z

Weaknesses