Description
The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' post meta (Custom Field) in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is present. The plugin accesses `$draft_data->display_name` which, because `display_name` is not a native WP_Post property, triggers WP_Post::__get() and resolves to `get_post_meta($post_id, 'display_name', true)`. When the `user_url` meta field is empty, the `$author` value is assigned to `$author_link` on line 383 without any escaping (unlike line 378 which uses `esc_html()` for the `{{author}}` tag, and line 381 which uses `esc_html()` when a URL is present). This unescaped value is then inserted into the shortcode output via `str_replace()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the `[drafts]` shortcode with the `{{author+link}}` template tag.
Published: 2026-03-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch Now
AI Analysis

Impact

The Simple Draft List WordPress plugin contains a stored Cross‑Site Scripting vulnerability (CWE‑79). The flaw originates when the plugin retrieves the author display name from a custom field named 'display_name' and, if the author URL is empty, outputs this value directly into the shortcode result without escaping (CVE Description). An attacker with Contributor or higher permissions can store malicious JavaScript in that field, which will execute whenever a visitor loads a page that contains the [drafts] shortcode with the {{author+link}} template tag. This can lead to session hijacking, defacement, or arbitrary code execution within the context of the visiting user.

Affected Systems

All installations of the Simple Draft List plugin distributed by dartiss, version 2.6.2 or earlier, are affected. No specific version numbers beyond 2.6.2 are listed, so any earlier release inherits the same flaw (Known CNA Affected Version).

Risk and Exploitability

The base CVSS score of 6.4 indicates a medium severity vulnerability (CVSS). The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog (KEV: not listed). Based on the description, the likely attack vector is an authenticated local CMS attacker with Contributor or higher access, making this a local CMS–based attack. While no public exploit code is currently published, any authenticated contributor or higher who can edit the 'display_name' field could inject and activate malicious scripts on the front‑end (CVE Description).

Generated by OpenCVE AI on March 19, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Draft List plugin to the latest release (versions >2.6.2) (CVE Description).
  • If an upgrade is not possible, remove or disable the [drafts] shortcode from any pages or templates that include the {{author+link}} tag to prevent the script from rendering (CVE Description).
  • Restrict Contributor users from editing custom fields or from using the [drafts] shortcode until a patch is applied (CVE Description).
  • Ensure an author URL is populated or sanitize the 'display_name' field manually before output to eliminate the unescaped injection (CVE Description).

Generated by OpenCVE AI on March 19, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Dartiss
Dartiss draft List
Wordpress
Wordpress wordpress
Vendors & Products Dartiss
Dartiss draft List
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' post meta (Custom Field) in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is present. The plugin accesses `$draft_data->display_name` which, because `display_name` is not a native WP_Post property, triggers WP_Post::__get() and resolves to `get_post_meta($post_id, 'display_name', true)`. When the `user_url` meta field is empty, the `$author` value is assigned to `$author_link` on line 383 without any escaping (unlike line 378 which uses `esc_html()` for the `{{author}}` tag, and line 381 which uses `esc_html()` when a URL is present). This unescaped value is then inserted into the shortcode output via `str_replace()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the `[drafts]` shortcode with the `{{author+link}}` template tag.
Title Draft List <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Dartiss Draft List
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:18.098Z

Reserved: 2026-03-11T18:57:28.782Z

Link: CVE-2026-4006

cve-icon Vulnrichment

Updated: 2026-03-19T15:12:28.830Z

cve-icon NVD

Status : Deferred

Published: 2026-03-19T07:15:59.887

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:48Z

Weaknesses