Description
Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hester Core WordPress plugin versions 1.1.8 and earlier include a cross‑site scripting vulnerability that permits an attacker to inject arbitrary JavaScript into web pages served by the plugin. This flaw, classified as CWE‑79, can lead to session hijacking, defacement, or the execution of malicious code in the victim's browser, thereby compromising confidentiality and integrity of the site and its users.

Affected Systems

The vulnerability affects the PeregrineThemes Hester Core plugin for WordPress. Any installation using version 1.1.8 or earlier is susceptible; later releases, such as 1.1.9 and above, contain the fix.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium risk. EPSS is unavailable, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is through input or configuration fields that the plugin renders without proper escaping. Successful exploitation would require an attacker to persuade a user to view a page containing the injected script, typically by leveraging an administrative or content‑creation role within the WordPress installation.

Generated by OpenCVE AI on June 26, 2026 at 17:39 UTC.

Remediation

Vendor Solution

Update the WordPress Hester Core Plugin to the latest available version (at least 1.1.9).

OpenCVE Recommended Actions

  • Update the Hester Core plugin to version 1.1.9 or newer.
  • If an immediate update is not feasible, deactivate or uninstall the plugin until the patch is applied.
  • Verify that any custom code or third‑party extensions using the plugin do not echo unsanitized data, and sanitize output if they remain.

Generated by OpenCVE AI on June 26, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions.
Title WordPress Hester Core plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:36:27.608Z

Reserved: 2026-06-25T08:03:24.124Z

Link: CVE-2026-57656

cve-icon Vulnrichment

Updated: 2026-06-26T16:36:24.467Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')