Description
Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions.
Published: 2026-06-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw that exists in all versions of the WordPress BEAR plugin up to and including 1.1.8. The flaw stems from insufficient input sanitization, allowing an attacker to inject arbitrary JavaScript code that executes in the browser context of any user who views the injected content. This can lead to session hijacking, cookie theft, or other client-side compromise. The weakness is classified as CWE‑79.

Affected Systems

The affected system is the WordPress BEAR plugin developed by RealMag777. All installations of the plugin with a version number less than or equal to 1.1.8 are vulnerable. The vendor’s official fix is to upgrade to version 1.1.9 or later.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, and the lack of an EPSS score suggests a low but non‑zero likelihood of exploitation at the time of this analysis. The plugin is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is unauthenticated web-based input that is rendered by the plugin without proper escaping. An attacker can exploit the flaw by crafting a malicious input in any field that the plugin accepts and then causing a legitimate user to view that input, thereby executing the injected script.

Generated by OpenCVE AI on June 29, 2026 at 16:25 UTC.

Remediation

Vendor Solution

Update the WordPress BEAR Plugin to the latest available version (at least 1.1.9).

OpenCVE Recommended Actions

  • Apply the vendor’s patch and upgrade the WordPress BEAR Plugin to version 1.1.9 or later.
  • Re‑inspect and clean any user‑generated or cached content that the plugin may have processed, removing any embedded JavaScript that could have been inserted during the vulnerability period.
  • Deploy a Content Security Policy that disallows inline scripts and restricts allowed script sources, reducing the impact if any residual or future XSS vectors remain.

Generated by OpenCVE AI on June 29, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 bear
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 bear
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions.
Title WordPress BEAR plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Realmag777 Bear
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T15:19:43.806Z

Reserved: 2026-06-24T12:44:58.567Z

Link: CVE-2026-57320

cve-icon Vulnrichment

Updated: 2026-06-29T14:58:49.300Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')