Description
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
Published: 2026-02-19
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

XMLRPC Attacks Blocker, versions 1.0 and earlier, improperly trusts the X‑Forwarded‑For HTTP header and logs the value without sanitization. When an administrator opens the debug log page, the unescaped header content is rendered as part of the page, allowing an unauthenticated attacker to insert arbitrary JavaScript. This stored cross‑site scripting grants the attacker the ability to execute code in the admin context, potentially hijacking sessions, defacing content, or exfiltrating data.

Affected Systems

Vulnerability applies to the Yehudah xmlrpc attacks blocker plugin for WordPress, up to and including version 1.0. Sites that have the plugin installed and enabled its debug logging feature are affected; other WordPress plugins or CMS versions are not impacted.

Risk and Exploitability

The CVSS score of 6.1 represents a moderate severity, while the EPSS score of less than 1 % indicates that exploitation is currently infrequent. The vulnerability is not present in the CISA KEV catalog. Exploitation requires only that an attacker point a request with a crafted X‑Forwarded‑For header at the vulnerable site; no authentication is necessary, and the malicious script executes with the privileges of any administrator who views the debug log. Organizations should treat this as a priority for remediation.

Generated by OpenCVE AI on April 15, 2026 at 20:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade xmlrpc attacks blocker to the latest release, which removes the vulnerability and ensures proper sanitization of the X‑Forwarded‑For header and escaping of debug log output.
  • If an upgrade cannot be performed, disable or restrict access to the debug logging page to trusted users only.
  • Uninstall the plugin entirely if it is not required for site functionality.

Generated by OpenCVE AI on April 15, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yehudah
Yehudah xmlrpc Attacks Blocker
Vendors & Products Wordpress
Wordpress wordpress
Yehudah
Yehudah xmlrpc Attacks Blocker

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
Title xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yehudah Xmlrpc Attacks Blocker
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:26.164Z

Reserved: 2026-02-13T22:02:17.549Z

Link: CVE-2026-2502

cve-icon Vulnrichment

Updated: 2026-02-19T17:04:12.396Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:46.570

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses