Description
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-13
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Canvas WordPress plugin accepts a 'tag' attribute in several block rendering components, but does not properly sanitize or escape its value. When a contributor or higher‑privilege user supplies malicious content as the tag, the plugin stores it in the database and later includes it unfiltered when rendering the page. The injected script runs in any visitor’s browser, providing the attacker with access to client‑side information, session cookies, and the ability to perform actions on behalf of that user. This vulnerability is a classic stored cross‑site scripting flaw (CWE‑79).

Affected Systems

Any WordPress site using the Canvas plugin version 2.5.2 or earlier is vulnerable. The affected vendor is CodeSupplyCo under the Canvas plugin product line. Updating to Canvas 2.5.3 or later removes the flaw.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity risk. Because the exploitation requires authenticated contributor access, the attack vector is likely an insider or compromised contributor account. Although an EPSS score is not available, the flaw remains a real threat, especially in environments where contributors are granted access. The vulnerability is not listed in the CISA KEV catalog, but it can still be actively exploited if a site’s contributor base is not properly monitored.

Generated by OpenCVE AI on June 13, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Canvas plugin to version 2.5.3 or later, removing the vulnerable code paths.
  • If an immediate upgrade is not possible, disable the affected block features or enforce stricter input validation on the 'tag' attribute to prevent script injection.
  • Audit existing content for embedded scripts and delete any that were inserted as a result of the vulnerability.

Generated by OpenCVE AI on June 13, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Canvas <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Block Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-13T07:51:22.473Z

Reserved: 2026-05-26T17:33:23.661Z

Link: CVE-2026-9629

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T08:16:12.330

Modified: 2026-06-13T08:16:12.330

Link: CVE-2026-9629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T09:30:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')