Description
The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-05-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Continually WordPress plugin contains a stored cross‑site scripting flaw that allows authenticated users with administrator privileges or higher to inject arbitrary JavaScript into the "continually_embed_code" setting. When any user views the page containing the injected code, the script executes in that user's browser. This can lead to session hijacking, credential theft, defacement, or the delivery of additional malware to site visitors.

Affected Systems

All WordPress installations using Continually plugin version 4.3.1 or earlier are impacted. The flaw is exploitable on multi‑site networks and on regular sites when the WordPress setting unfiltered_html is disabled. It does not affect installations that have unfiltered_html enabled or are running a newer plugin version.

Risk and Exploitability

The CVSS score of 4.4 classifies the vulnerability as moderate. Exploitation requires authenticated access with administrator-level credentials. The EPSS score is not available, so no assessment of real‑world exploitation likelihood can be made, and the flaw is not listed in the CISA KEV catalog. Attackers would typically modify the embedded code field through the plugin’s admin interface to inject malicious scripts, which then persist and are served to any visitor who accesses the affected page.

Generated by OpenCVE AI on May 12, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Continually plugin to a version newer than 4.3.1 that removes the stored XSS flaw
  • If an upgrade is not immediately possible, disable the Continually plugin to eliminate the attack vector
  • Alternatively, enable the WordPress unfiltered_html option so that the XSS filter is bypassed for administrators, though this mitigates only in the context of the plugin’s current behavior

Generated by OpenCVE AI on May 12, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Continually <= 4.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'continually_embed_code' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:39:21.916Z

Reserved: 2026-04-21T17:48:30.636Z

Link: CVE-2026-6813

cve-icon Vulnrichment

Updated: 2026-05-12T12:39:14.255Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T10:16:48.350

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-6813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:30:14Z

Weaknesses