{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1268", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T21:37:10.146Z", "datePublished": "2026-02-05T06:47:42.574Z", "dateUpdated": "2026-04-08T16:52:59.734Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:59.734Z"}, "affected": [{"vendor": "brechtvds", "product": "Dynamic Widget Content", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Dynamic Widget Content <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444655%40dynamic-widget-content&new=3444655%40dynamic-widget-content&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-01-20T21:52:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-04T18:42:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T15:11:47.711275Z", "id": "CVE-2026-1268", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:11:53.363Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T15:11:47.711275Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:11:50.391Z"}}], "cna": {"title": "Dynamic Widget Content <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "brechtvds", "product": "Dynamic Widget Content", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-20T21:52:18.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-04T18:42:46.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444655%40dynamic-widget-content&new=3444655%40dynamic-widget-content&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-05T06:47:42.574Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1268", "state": "PUBLISHED", "dateUpdated": "2026-02-05T15:11:53.363Z", "dateReserved": "2026-01-20T21:37:10.146Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-05T06:47:42.574Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Dynamic Widget Content para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del campo de contenido del widget en la barra lateral del editor Gutenberg en todas las versiones hasta la 1.3.6, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1268", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-05T07:16:17.620", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444655%40dynamic-widget-content&new=3444655%40dynamic-widget-content&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:50:30.749472+00:00", "value": {"mitigation_remediation": ["Upgrade the Dynamic Widget Content plugin to the latest available version, ensuring any known patches are applied.", "Restrict the Contributor role from adding or editing widget content, or remove the widget content field entirely for these users.", "Implement additional input validation and output encoding on any custom widget content fields as a fallback defense."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Dynamic Widget Content plugin version 1.3.6 or earlier are impacted. The plugin is authored by BrechtVDS and is typically installed as a WordPress plugin.", "description_and_impact": "The vulnerability arises from insufficient sanitization of the widget content field in the Gutenberg editor, allowing an authenticated user with Contributor level or higher to persist malicious scripts. When a page containing the injected content is viewed, the script executes in the visitor\u2019s browser, exposing the site to data theft, session hijacking or defacement. This stored XSS flaw enables full client\u2011side compromise of any visitor accessing the affected page, leading to loss of confidentiality, integrity, and availability of the web application for all users.", "risk_and_exploitability": "The flaw carries a medium CVSS score of 6.4, yet its exploit probability is very low, with an EPSS of less than 1% and no listing in the CISA KEV catalog. The attack requires authentication with at least Contributor privileges, meaning that users with this role can exploit it directly. Although the exploit window is narrow, the impact on all users who view the injected pages is severe, and the lack of public exploits does not preclude future development of zero\u2011day methods."}}}}, "created": "2026-02-06T12:05:42.956766+00:00", "updated": "2026-04-15T19:00:12.280075+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}