Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: DOM‑Based Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

Improper neutralization of user input during page generation in the Blog Filter plugin permits a DOM‑based cross‑site scripting attack. This type of vulnerability (CWE‑79) allows an attacker to inject and execute arbitrary JavaScript in the context of a victim’s browser, which can lead to session hijacking, defacement, or the insertion of malicious content. The vulnerability exists because the plugin fails to sanitize or encode input before it is used in the generated web page. The potential impact is confined to the web application’s client‑side code and can affect all users who visit pages affected by the plugin.

Affected Systems

The vulnerability affects the A WP Life Blog Filter product, known by its vendor name A WP Life: Blog Filter. Versions from the initial release up to and including 1.7.6 are impacted. No other specific version ranges are given, and the plugin is publicly available on WordPress.org.

Risk and Exploitability

The CVSS score for this vulnerability is 6.5, indicating moderate severity, and the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be client‑side, requiring an attacker to supply malicious input through the plugin’s interface or exposed parameters. Because the flaw is DOM‑based, it can be triggered by loading a crafted URL or by submitting untrusted data via the plugin’s filtering mechanism. The impact is limited to users who interact with pages rendered by the affected plugin and does not grant the attacker direct server‑side control.

Generated by OpenCVE AI on April 10, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blog Filter plugin to the latest available version (any release newer than 1.7.6).
  • Verify that the updated plugin no longer reflects injected scripts by testing common XSS vectors before restoring production traffic.

Generated by OpenCVE AI on April 10, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Awplife
Awplife blog Filter
Wordpress
Wordpress wordpress
Vendors & Products Awplife
Awplife blog Filter
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6.
Title WordPress Blog Filter plugin <= 1.7.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Awplife Blog Filter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.930Z

Reserved: 2026-04-07T10:48:03.414Z

Link: CVE-2026-39517

cve-icon Vulnrichment

Updated: 2026-04-10T17:58:07.728Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:25.493

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:29Z

Weaknesses