Description
Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw in the WordPress FOX plugin versions up to 1.4.8. An attacker can inject arbitrary JavaScript into the output of the plugin, potentially hijacking user sessions, defacing content, or executing further malicious code in the victim’s browser. This weakness is classified as CWE‑79, which describes insecure handling of user input leading to script injection.

Affected Systems

Affected users run RealMag777’s FOX plugin on WordPress sites with any versions from the initial release up to 1.4.8. The patch requires upgrading to 1.4.9 or later, which removes the vulnerable code paths. Sites using older releases are directly exposed.

Risk and Exploitability

The CVSS score of 7.1 signals a high severity, while the lack of an EPSS score indicates insufficient data on exploitation probability. The flaw is not listed in the CISA KEV catalog. Because the attack is unauthenticated, any website visitor could trigger the injection by supplying crafted input to the plugin’s publicly exposed endpoints. Administrators should treat this as a priority risk.

Generated by OpenCVE AI on June 26, 2026 at 17:01 UTC.

Remediation

Vendor Solution

Update the WordPress FOX Plugin to the latest available version (at least 1.4.9).

OpenCVE Recommended Actions

  • Update WordPress FOX Plugin to version 1.4.9 or newer immediately.
  • Configure the plugin to limit data entry to authenticated administrators only, removing public write access where possible.
  • Employ WordPress built‑in sanitization functions or a web‑application firewall to filter output and block unexpected scripts.
  • Monitor site logs for repeated XSS attempts and apply rate‑limiting or blocking rules.

Generated by OpenCVE AI on June 26, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 fox
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 fox
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions.
Title WordPress FOX plugin <= 1.4.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Realmag777 Fox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:41:17.083Z

Reserved: 2026-06-24T12:44:58.567Z

Link: CVE-2026-57319

cve-icon Vulnrichment

Updated: 2026-06-26T15:41:12.380Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:15:02Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')