Description
The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Published: 2026-03-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The DukaPress WordPress plugin fails to sanitize and escape a parameter before displaying it on the page, allowing an attacker to inject arbitrary JavaScript through crafted requests. The reflected cross‑site scripting can run in the victim’s browser, potentially creating session hijacking, cookie theft, or execution of privileged actions on behalf of high‑privilege users such as administrators.

Affected Systems

All installations of the DukaPress WordPress plugin with versions up to and including 3.2.4 are affected. The vendor is listed as Unknown and no patch version is identified in the supplied data.

Risk and Exploitability

The CVSS score of 7.1 labels this vulnerability as High severity, while its EPSS score of less than 1% and absence from the KEV catalog suggest a low likelihood of immediate exploitation in the wild. Nevertheless, attackers can exploit this flaw remotely by crafting a malicious payload that is reflected in the plugin’s output, thereby affecting users with administrative privileges. The high impact to privileged accounts warrants prompt remediation.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the version of the DukaPress plugin installed on the site.
  • Check the plugin’s official website or repository for an update that addresses the reflected XSS flaw.
  • Apply the latest patch (a version newer than 3.2.4) or upgrade the plugin to a fixed release if available.
  • If no update exists, consider disabling or uninstalling the plugin to remove the vulnerable code path.
  • As an interim measure, review and tighten input validation rules and implement web application firewall rules that block script injections in user-supplied parameters.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Dukapress
Dukapress dukapress
Wordpress
Wordpress wordpress
Vendors & Products Dukapress
Dukapress dukapress
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Title DukaPress <= 3.2.4 - Reflected XSS
References

Subscriptions

Dukapress Dukapress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:58.040Z

Reserved: 2026-02-13T13:35:41.123Z

Link: CVE-2026-2466

cve-icon Vulnrichment

Updated: 2026-03-11T13:33:34.012Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:14.240

Modified: 2026-03-11T14:16:27.073

Link: CVE-2026-2466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:46Z

Weaknesses