{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27054", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:30.505Z", "datePublished": "2026-03-25T16:14:53.945Z", "dateUpdated": "2026-03-25T20:13:19.228Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "penci-data-migrator", "product": "Penci Soledad Data Migrator", "vendor": "PenciDesign", "versions": [{"lessThanOrEqual": "<= 1.3.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:32.996Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.<p>This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:53.945Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/penci-data-migrator/vulnerability/wordpress-penci-soledad-data-migrator-plugin-1-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Penci Soledad Data Migrator plugin <= 1.3.1 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:11:08.927896Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:13:19.228Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:11:08.927896Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:04:32.723Z"}}], "cna": {"title": "WordPress Penci Soledad Data Migrator plugin <= 1.3.1 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "PenciDesign", "product": "Penci Soledad Data Migrator", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.3.1"}], "packageName": "penci-data-migrator", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:32.996Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/penci-data-migrator/vulnerability/wordpress-penci-soledad-data-migrator-plugin-1-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.<p>This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:53.945Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27054", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:13:19.228Z", "dateReserved": "2026-02-17T13:23:30.505Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:53.945Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1."}], "id": "CVE-2026-27054", "lastModified": "2026-03-25T21:16:38.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:54.523", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/penci-data-migrator/vulnerability/wordpress-penci-soledad-data-migrator-plugin-1-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:44:47.445445+00:00", "value": {"mitigation_remediation": ["Upgrade the Penci Soledad Data Migrator plugin to a version newer than 1.3.1, if available.", "If an update cannot be applied immediately, implement strict content\u2011security\u2011policy headers to prevent execution of injected scripts.", "Ensure that all user\u2011supplied data is properly sanitized or escaped before rendering in HTML.", "Monitor site logs for anomalous request patterns that may indicate exploitation attempts."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The issue pertains to the WordPress plugin PenciDesign Penci Soledad Data Migrator, affecting all deployed instances of versions up through 1.3.1. Any WordPress site that has installed this plugin within that version range is susceptible.", "description_and_impact": "This vulnerability arises from improper sanitization of user input when generating web pages in the Penci Soledad Data Migrator plugin. A malicious actor can inject arbitrary scripts into a page that is subsequently viewed by other users, enabling session hijacking, defacement, or delivery of malware. The weakness corresponds to the Common Weakness Enumeration class CWE-79, which focuses on reflected cross\u2011site scripting flaws. While the impact is confined to the domain where the plugin is hosted, it can affect any visitor who loads the vulnerable page, potentially compromising credentials or personal data.", "risk_and_exploitability": "The CVSS score is not publicly disclosed, but reflected XSS typically carries a moderate to high severity. The Exploit Prediction Scoring System score is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is presumably webpage request\u2011based and depends on the plugin accepting unsanitized input. Because the vulnerability is reflected, an attacker need only craft a URL and entice a victim to visit it, making exploitation straightforward under most conditions."}}}}, "created": "2026-03-25T21:44:05.220557+00:00", "updated": "2026-03-25T21:44:05.220613+00:00", "vendors": []}