Description
The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lp_update_mds AJAX action in all versions up to, and including, 2.2.2. This is due to the `wp_ajax_nopriv_lp_update_mds` action being registered without nonce verification or capability checks, combined with insufficient input sanitization and output escaping when the series name is rendered in the admin settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LifePress plugin for WordPress is vulnerable to a stored cross‑site scripting flaw originating from the unvalidated 'n' parameter received by the lp_update_mds AJAX action. Because the action is registered without a nonce check or capability verification and the input is not sanitized or escaped before being displayed, an unauthenticated attacker can store arbitrary JavaScript in the database. When any administrator or user loads the affected admin page, the injected script runs in that user's browser, potentially leading to session hijacking, defacement, or credential theft.

Affected Systems

WordPress installations running the LifePress plugin version 2.2.2 or earlier. The vulnerability applies to all releases up to and including 2.2.2 from the vendor ashanjay.

Risk and Exploitability

The vulnerability receives a CVSS score of 7.2, indicating a high severity. The EPSS score is not available, but the lack of authentication requirements means that any visitor can exploit the flaw, raising the likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can target the vulnerable AJAX endpoint with crafted requests, inject malicious payloads, and cause client‑side script execution for all users who access the page.

Generated by OpenCVE AI on May 12, 2026 at 10:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LifePress plugin to the latest released version that includes the fix for the stored XSS vulnerability.
  • If an upgrade is not possible, disable or remove the wp_ajax_nopriv_lp_update_mds AJAX action to prevent unauthenticated requests.
  • As a long‑term remedial measure, ensure that all user‑supplied data passed to the plugin, especially the 'n' parameter, is properly sanitized and escaped, and that all AJAX actions enforce nonce verification and capability checks before processing the request.

Generated by OpenCVE AI on May 12, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lp_update_mds AJAX action in all versions up to, and including, 2.2.2. This is due to the `wp_ajax_nopriv_lp_update_mds` action being registered without nonce verification or capability checks, combined with insufficient input sanitization and output escaping when the series name is rendered in the admin settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title LifePress <= 2.2.2 - Unauthenticated Stored Cross-Site Scripting via 'n' Parameter via lp_update_mds AJAX Action
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:55:52.803Z

Reserved: 2026-04-20T15:52:50.962Z

Link: CVE-2026-6690

cve-icon Vulnrichment

Updated: 2026-05-12T12:55:49.911Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:55.940

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-6690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T10:45:14Z

Weaknesses