Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 01 Jul 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Pfefferle
Pfefferle webmention Wordpress Wordpress wordpress |
|
| Vendors & Products |
Pfefferle
Pfefferle webmention Wordpress Wordpress wordpress |
Tue, 30 Jun 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template without esc_attr() or esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a privileged user (moderator or administrator) opens the affected comment edit screen. | |
| Title | Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' Author Properties | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-01T10:32:06.942Z
Reserved: 2026-06-01T04:52:29.224Z
Link: CVE-2026-10513
Updated: 2026-07-01T10:31:14.007Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T00:00:16Z