Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything penci-filter-everything allows Stored XSS.This issue affects Penci Filter Everything: from n/a through <= 1.7.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) affecting user sessions and site data integrity
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in PenciDesign’s Penci Filter Everything WordPress plugin allows stored cross‑site scripting. Improperly sanitizing user input during page generation means an attacker who can inject data into the plugin’s storage area can have arbitrary script executed in the browser context of any site visitor. This can lead to session hijacking, defacement, or delivery of malicious payloads. The weakness is identified as CWE‑79.

Affected Systems

WordPress sites running the Penci Filter Everything plugin version 1.7 or earlier are impacted. The vulnerability applies to any installation that has not been upgraded beyond the 1.7 release, regardless of additional plugins or active themes.

Risk and Exploitability

The CVSS v3.1 score of 6.5 indicates a moderate severity, but the EPSS score of less than 1% suggests exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog. Likely the attack vector involves a privileged administrator or editor inserting malicious content into the plugin’s input fields; the stored payload then executes automatically for every visitor to the affected pages. Attack prerequisites include access to administrative interfaces and the ability to store or edit content managed by Penci Filter Everything.

Generated by OpenCVE AI on April 16, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Penci Filter Everything plugin to version 1.8 or later, which removes the stored XSS flaw.
  • If an upgrade cannot be applied immediately, temporarily disable the plugin on all production sites to stop the exploitation path.
  • Verify that administrators do not submit unsanitized data through the plugin settings and restrict input to whitelisted HTML or plain text when editing content.

Generated by OpenCVE AI on April 16, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pencidesign
Pencidesign penci Filter Everything
Wordpress
Wordpress wordpress
Vendors & Products Pencidesign
Pencidesign penci Filter Everything
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything penci-filter-everything allows Stored XSS.This issue affects Penci Filter Everything: from n/a through <= 1.7.
Title WordPress Penci Filter Everything plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Pencidesign Penci Filter Everything
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:00.928Z

Reserved: 2026-02-17T13:23:30.505Z

Link: CVE-2026-27057

cve-icon Vulnrichment

Updated: 2026-02-20T15:07:04.156Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:26.960

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:15:18Z

Weaknesses