Description
The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in the admin Permalink Manager page that will execute whenever an administrator accesses the Permalink Manager page.
Published: 2026-06-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Permalink Manager Lite plugin is vulnerable to stored cross‑site scripting through post titles. The insufficient output escaping in the admin URI Editor allows contributors or higher‑privileged users to embed arbitrary web scripts. When an administrator visits the Permalink Manager page, the malicious script executes in their browser, potentially compromising their session and allowing further attacks such as credential theft or defacement.

Affected Systems

This flaw affects all installations of the Permalink Manager Lite WordPress plugin up to version 2.5.3.3. Users who run older or unpatched versions are at risk, regardless of how many sites are using the plugin. The vulnerability is tied directly to the mbis:Permalink Manager Lite product, so any site employing this plugin is impacted.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low exploitation probability. Because the vulnerability requires authenticated (Contributor+ level) access, the attack surface is limited to users who have been granted such privileges. The flaw is not listed in the CISA KEV catalog, but the cross‑site scripting payload can be delivered via normal administrative interactions, making it a tangible risk for sites with uninhibited contributor roles.

Generated by OpenCVE AI on June 17, 2026 at 18:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Permalink Manager Lite plugin to version 2.5.4 or later
  • If upgrading is not immediately possible, disable the URI Editor feature or uninstall the plugin entirely
  • Restrict Contributor role permissions so that only administrators can edit post titles in the Permalink Manager interface

Generated by OpenCVE AI on June 17, 2026 at 18:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Maciej Bis
Maciej Bis permalink Manager Lite
Wordpress
Wordpress wordpress
Vendors & Products Maciej Bis
Maciej Bis permalink Manager Lite
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in the admin Permalink Manager page that will execute whenever an administrator accesses the Permalink Manager page.
Title Permalink Manager Lite <= 2.5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Maciej Bis Permalink Manager Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-17T10:37:01.457Z

Reserved: 2026-05-13T16:48:08.987Z

Link: CVE-2026-8494

cve-icon Vulnrichment

Updated: 2026-06-17T10:36:57.708Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')