Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Briano List category posts list-category-posts allows DOM-Based XSS.This issue affects List category posts: from n/a through <= 0.93.1.
Published: 2026-03-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A DOM‑Based Cross‑Site Scripting flaw exists in the WordPress "List category posts" plugin (CWE‑79). The plugin fails to neutralize user input in certain page generation contexts, enabling an attacker to inject JavaScript that executes in the victim’s browser. This can result in session hijacking, defacement, or the execution of arbitrary client‑side code.

Affected Systems

All releases of Fernando Briano’s List category posts plugin from the earliest available version up to and including version 0.93.1 are impacted, as stated in the vendor description.

Risk and Exploitability

The vulnerability has a CVSS score of 5.9, indicating moderate severity. EPSS shows less than a 1% chance of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The attack vector is remote, typically via a maliciously crafted URL or link that a user clicks or visits, triggering the DOM‑based XSS. Because the impact is limited to the client’s browser, it does not compromise the server itself but can affect user confidentiality and integrity.

Generated by OpenCVE AI on March 19, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the List category posts plugin to a version newer than 0.93.1 if one is available.
  • If no update exists, deactivate or uninstall the plugin as a temporary measure.
  • Apply a content‑security‑policy to block inline scripting as an additional safeguard.

Generated by OpenCVE AI on March 19, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Fernandobriano
Fernandobriano list Category Posts
Wordpress
Wordpress wordpress
Vendors & Products Fernandobriano
Fernandobriano list Category Posts
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Briano List category posts list-category-posts allows DOM-Based XSS.This issue affects List category posts: from n/a through <= 0.93.1.
Title WordPress List category posts plugin <= 0.93.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Fernandobriano List Category Posts
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:13.550Z

Reserved: 2026-03-12T11:11:26.570Z

Link: CVE-2026-32419

cve-icon Vulnrichment

Updated: 2026-03-13T18:59:37.495Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:59.497

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:44Z

Weaknesses