Description
Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Contributor Cross Site Scripting in Ghost Kit <= 3.6.0 allows an attacker who can add or edit content to insert malicious JavaScript. This injected code is rendered in the browsers of any visitors who view that content, creating a client‑side attack surface.

Affected Systems

The vulnerability affects the Ghost Kit plugin used within WordPress sites. All installations using version 3.6.0 or earlier are impacted; newer releases contain a fix. Sites that deploy Ghost Kit on a WordPress installation are the primary target group.

Risk and Exploitability

The CVSS base score of 6.5 reflects a moderate severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, indicating no confirmed, widespread exploitation to date. The likely attack vector involves a contributor or user with the ability to add or edit plugin content; an attacker would create a malicious payload that is then rendered in the browsers of other site visitors. While it does not grant remote code execution on the server, it enables client‑side script execution.

Generated by OpenCVE AI on June 26, 2026 at 19:35 UTC.

Remediation

Vendor Solution

Update the WordPress Ghost Kit Plugin to the latest available version (at least 3.6.1).

OpenCVE Recommended Actions

  • Update the Ghost Kit plugin to version 3.6.1 or later
  • Inspect and remove any posts, pages, or content that may contain unsanitized user input added by contributors
  • Restrict contributor editing rights or enforce strict input sanitization on plugin content to prevent injection of malicious scripts

Generated by OpenCVE AI on June 26, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.
Title WordPress Ghost Kit plugin <= 3.6.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:42:21.035Z

Reserved: 2026-06-25T08:03:24.124Z

Link: CVE-2026-57651

cve-icon Vulnrichment

Updated: 2026-06-26T17:26:38.369Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')