Description
Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.4 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains an unauthenticated Cross Site Scripting flaw (CWE‑79) that enables an attacker to inject arbitrary JavaScript into the web pages served by WordPress sites. The vulnerability originates from insufficient input sanitization of user‑supplied data. An attacker can craft a request that executes arbitrary code in the context of the victim’s browser, potentially exfiltrating session cookies, defacing content, or conducting phishing attacks. The effect is a breach of confidentiality, integrity, and availability of the affected website and its users.

Affected Systems

WordPress installations that have the perfmatters plugin installed at version 2.6.4 or older are impacted. This includes every site that has not yet applied the 2.6.5 upgrade. The vendor is Perfmatters. No other WordPress plugins or core versions are mentioned.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact and moderate complexity vulnerability. There is no EPSS score available, so the current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploits in the public domain. The description indicates that the defect is unauthenticated and it is inferred that an attacker can provoke the vulnerability by visiting a crafted URL or submitting malicious form input, making it accessible to attackers without special credentials.

Generated by OpenCVE AI on July 3, 2026 at 10:21 UTC.

Remediation

Vendor Solution

Update the WordPress perfmatters Plugin to the latest available version (at least 2.6.5).


OpenCVE Recommended Actions

  • Update the perfmatters plugin to version 2.6.5 or later, as released by the vendor.
  • If an upgrade cannot be performed immediately, remove or deactivate the perfmatters plugin until patching is possible.
  • Consider enabling a Web Application Firewall that blocks script injection to mitigate exploitation until the patch is deployed.

Generated by OpenCVE AI on July 3, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Perfmatters
Perfmatters perfmatters
Wordpress
Wordpress wordpress
Vendors & Products Perfmatters
Perfmatters perfmatters
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.4 versions.
Title WordPress perfmatters plugin <= 2.6.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Perfmatters Perfmatters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:39:50.501Z

Reserved: 2026-06-25T08:03:37.652Z

Link: CVE-2026-57671

cve-icon Vulnrichment

Updated: 2026-07-02T12:39:47.526Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T10:30:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')