Description
Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross Site Scripting (XSS) flaw that exists in all versions of the WordPress ProfilePress plugin up to and including 4.16.13. This weakness allows an attacker to inject malicious scripts into certain components of the plugin’s output. The injected scripts are then executed in the browser of any user who views the affected page, potentially allowing code execution within the user’s context.

Affected Systems

The affected product is the WordPress ProfilePress plugin provided by properfraction. All installations running version 4.16.13 or earlier are impacted.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the medium severity range and the EPSS score of less than 1% indicates a low probability of exploitation currently. The vulnerability is not listed in CISA’s KEV catalog. While the CVE does not specify detailed exploitation steps or required user interaction, the nature of XSS implies that an attacker would need to embed malicious input that is processed and rendered by the plugin. The potential impact is limited to client‑side code execution but could lead to broader compromises if the attacker is able to target sensitive users or execute persistent attacks.

Generated by OpenCVE AI on June 16, 2026 at 22:24 UTC.

Remediation

Vendor Solution

Update the WordPress ProfilePress Plugin to the latest available version (at least 4.16.14).

OpenCVE Recommended Actions

  • Update the WordPress ProfilePress plugin to version 4.16.14 or later.
  • Deploy a web application firewall that filters out malicious script content.
  • Enable a content security policy to restrict sources of executable scripts.

Generated by OpenCVE AI on June 16, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Properfraction
Properfraction profilepress
Wordpress
Wordpress wordpress
Vendors & Products Properfraction
Properfraction profilepress
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.
Title WordPress ProfilePress plugin <= 4.16.13 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Properfraction Profilepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:04:48.550Z

Reserved: 2026-04-21T12:35:51.612Z

Link: CVE-2026-41556

cve-icon Vulnrichment

Updated: 2026-06-16T13:04:33.996Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:53.037

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-41556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')