Description
Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.3 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Scripting exists in versions of the WordPress Perfmatters plugin up to 2.6.3. The flaw allows an attacker to inject arbitrary client‑side script when a user visits a specially crafted URL or submits malicious data, executing that code in the victim's browser. This can lead to session hijacking, credential theft, defacement or further compromise of the site. The weakness is an input validation issue identified as CWE‑79.

Affected Systems

The affected product is the Perfmatters WordPress plugin, any WordPress installation using Perfmatters version 2.6.3 or earlier. The vendor responsible for the patch is Perfmatters, and the plugin is commonly bundled with the Kinsta hosting service and used in GeneratePress themes.

Risk and Exploitability

The CVSS score of 7.1 indicates a high level of severity. No EPSS score is available, so the likelihood of exploitation in the wild is unknown, but the vulnerability is not currently listed in CISA's KEV catalog. The flaw can be exploited remotely by unauthenticated users who can craft or influence browser requests to the site, making it potentially open to widespread attacks. The typical attack vector would be a reflected XSS payload delivered via a request to a vulnerable endpoint that accepts query parameters or form inputs without proper sanitization.

Generated by OpenCVE AI on June 26, 2026 at 16:35 UTC.

Remediation

Vendor Solution

Update the WordPress Perfmatters Plugin to the latest available version (at least 2.6.4).

OpenCVE Recommended Actions

  • Update the Perfmatters plugin to version 2.6.4 or newer, which removes the vulnerable code.
  • If an immediate update is not feasible, remove or disable any feature that accepts untrusted input from users, or whitelist allowed input characters.
  • Apply site‑wide input filtering to ensure that any data reaching the plugin is sanitized to prevent script injection.

Generated by OpenCVE AI on June 26, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.3 versions.
Title WordPress perfmatters plugin <= 2.6.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:47:05.480Z

Reserved: 2026-06-18T14:37:51.351Z

Link: CVE-2026-56047

cve-icon Vulnrichment

Updated: 2026-06-26T15:47:00.476Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')