Description
The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-05-05
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blog Settings plugin for WordPress contains a reflected cross‑site scripting vulnerability that is triggered by the unsanitized 'page' parameter. The plugin fails to validate or encode this input before echoing it back to the browser, allowing an unauthenticated attacker to insert arbitrary JavaScript. If a victim follows a malicious link, the injected script will execute within their browser, giving the attacker the ability to run client‑side code on the victim’s session.

Affected Systems

All WordPress installations using the Blog Settings plugin developed by phpsandeepkumar, for any version up to and including 1.0, are affected. The vulnerability exists in every released version of the plugin whose version number is 1.0 or lower.

Risk and Exploitability

The CVSS score of 6.1 places this issue in the medium severity range, and the EPSS score is not available. It is not listed in the CISA KEV catalog. An attacker can exploit the flaw by crafting a URL that contains a malicious payload in the 'page' query parameter and convincing a victim to click the link. No privileged access or additional preconditions are required, so the attack vector is accessible to any external actor.

Generated by OpenCVE AI on May 5, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blog Settings plugin to a version newer than 1.0 or remove it if it is no longer maintained
  • If an upgrade is not immediately possible, configure a web application firewall or security plugin to filter or strip the 'page' query parameter and enforce proper output encoding before rendering
  • Ensure that all WordPress core files and other plugins are kept up to date and use WordPress escape functions to prevent similar XSS vulnerabilities

Generated by OpenCVE AI on May 5, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T02:26:58.006Z

Reserved: 2026-04-20T17:55:04.098Z

Link: CVE-2026-6704

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T03:16:01.090

Modified: 2026-05-05T03:16:01.090

Link: CVE-2026-6704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T04:30:15Z

Weaknesses