Description
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Canvas WordPress plugin accepts a 'tag' attribute in several block rendering components, but does not properly sanitize or escape its value. When a contributor or higher‑privilege user supplies malicious content as the tag, the plugin stores it in the database and later includes it unfiltered when rendering the page. The injected script runs in any visitor’s browser, providing the attacker with access to client‑side information, session cookies, and the ability to perform actions on behalf of that user. This vulnerability is a classic stored cross‑site scripting flaw (CWE‑79).

Affected Systems

Any WordPress site using the Canvas plugin version 2.5.2 or earlier is vulnerable. The affected vendor is CodeSupplyCo under the Canvas plugin product line. Updating to Canvas 2.5.3 or later removes the flaw.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity risk. Because the exploitation requires authenticated contributor access, the attack vector is likely an insider or compromised contributor account. Although an EPSS score is not available, the flaw remains a real threat, especially in environments where contributors are granted access. The vulnerability is not listed in the CISA KEV catalog, but it can still be actively exploited if a site’s contributor base is not properly monitored.

Generated by OpenCVE AI on June 13, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Canvas plugin to version 2.5.3 or later, removing the vulnerable code paths.
  • If an immediate upgrade is not possible, disable the affected block features or enforce stricter input validation on the 'tag' attribute to prevent script injection.
  • Audit existing content for embedded scripts and delete any that were inserted as a result of the vulnerability.

Generated by OpenCVE AI on June 13, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Codesupplyco
Codesupplyco canvas
Wordpress
Wordpress wordpress
Vendors & Products Codesupplyco
Codesupplyco canvas
Wordpress
Wordpress wordpress

Sat, 13 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Canvas <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Block Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Codesupplyco Canvas
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-15T12:55:45.432Z

Reserved: 2026-05-26T17:33:23.661Z

Link: CVE-2026-9629

cve-icon Vulnrichment

Updated: 2026-06-15T12:55:40.824Z

cve-icon NVD

Status : Deferred

Published: 2026-06-13T08:16:12.330

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-9629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:28:51Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')