Description
Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.
Published: 2026-07-02
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple URLs WordPress plugin contains a cross‑site scripting (XSS) flaw that allows malicious scripts to be injected through unsanitised user input. This weakness, identified as CWE‑79, can lead to client‑side code execution when a visitor loads a page that includes the attacker‑controlled content, enabling phishing, cookie theft, or defacement. The impact is confined to the victim’s browser and does not provide direct remote code execution on the server.

Affected Systems

The vulnerability affects the Simple URLs plugin developed by Andrew Fiebert, specifically versions 151 and earlier. No further vendor or product details are provided beyond the plugin name and the cutoff version.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity vulnerability, and the EPSS score is not available, which does not provide a clear estimate of exploitation likelihood. The plugin is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers likely exploit this through remote interaction with the web interface, crafting URLs or input that injects JavaScript which is then rendered by user browsers when the plugin processes the data.

Generated by OpenCVE AI on July 2, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple URLs plugin to the latest version that contains the XSS patch.
  • If an immediate upgrade is not possible, deploy a web application firewall rule that sanitises or blocks suspicious script payloads on the URL parameters handled by the plugin.
  • Conduct a site‑wide review to ensure that no injected scripts remain embedded in content and that all input is properly escaped before rendering in user‑facing pages.

Generated by OpenCVE AI on July 2, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.
Title WordPress Simple URLs plugin <= 151 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T11:58:18.447Z

Reserved: 2026-06-25T08:04:41.580Z

Link: CVE-2026-57762

cve-icon Vulnrichment

Updated: 2026-07-02T11:58:14.781Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')