Description
The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field() and loop() functions, which extract the raw src attribute value from <img> tags within post_content using a regular expression and then reconstruct new <img> elements or CSS background-image declarations by directly concatenating the unescaped value — bypassing WordPress's kses filtering entirely. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Latest Posts plugin contains a stored cross‑site scripting flaw that occurs when an authenticated user with author‑level access posts content that includes an <img> tag whose src attribute has been crafted to contain malicious JavaScript. The plugin’s parsing logic extracts the src value with a regular expression and then re‑creates the <img> element without applying WordPress’s standard sanitization, allowing the injected script to execute in the browsers of any visitor who views the post.

Affected Systems

Affected systems are sites running the joomunited WP Latest Posts plugin in any version up to and including 5.0.11. Administrators should verify that the plugin version is 5.0.12 or newer.

Risk and Exploitability

With a CVSS score of 6.4, the risk is moderate, and the EPSS score is not available, while the vulnerability is not listed in CISA’s KEV catalog. Successful exploitation requires author‑level credentials; an attacker can embed arbitrary scripts that will run in the browsers of any user who encounters the compromised post, potentially leading to phishing, credential theft, or further session hijacking.

Generated by OpenCVE AI on June 24, 2026 at 09:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install plugin version 5.0.12 or newer to eliminate the vulnerability.
  • If an update cannot be applied immediately, deactivate the WP Latest Posts plugin or delete any posts that contain malicious <img> tags until the plugin is resolved.
  • Review and limit author‑level permissions for users to reduce the chance of malicious content being inserted.

Generated by OpenCVE AI on June 24, 2026 at 09:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomunited
Joomunited wp Latest Posts
Wordpress
Wordpress wordpress
Vendors & Products Joomunited
Joomunited wp Latest Posts
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field() and loop() functions, which extract the raw src attribute value from <img> tags within post_content using a regular expression and then reconstruct new <img> elements or CSS background-image declarations by directly concatenating the unescaped value — bypassing WordPress's kses filtering entirely. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Joomunited Wp Latest Posts
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:31.605Z

Reserved: 2026-05-26T17:09:42.001Z

Link: CVE-2026-9620

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')