{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1574", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-28T21:31:00.797Z", "datePublished": "2026-03-07T07:22:05.472Z", "dateUpdated": "2026-04-08T16:52:14.921Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:14.921Z"}, "affected": [{"vendor": "dgamoni", "product": "MyQtip \u2013 easy qTip2", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MyQtip \u2013 easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "MyQtip \u2013 easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5035d412-861a-4a31-b5e5-378fc4962d90?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/myqtip-easy-qtip2/tags/2.0.5/includes/register_shortcode.php#L11"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-01-02T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-06T18:41:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:31:49.620326Z", "id": "CVE-2026-1574", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:28:41.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1574", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:31:49.620326Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:31:50.855Z"}}], "cna": {"title": "MyQtip \u2013 easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "dgamoni", "product": "MyQtip \u2013 easy qTip2", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-02T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-06T18:41:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5035d412-861a-4a31-b5e5-378fc4962d90?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/myqtip-easy-qtip2/tags/2.0.5/includes/register_shortcode.php#L11"}], "descriptions": [{"lang": "en", "value": "The MyQtip \u2013 easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:14.921Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1574", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:14.921Z", "dateReserved": "2026-01-28T21:31:00.797Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-07T07:22:05.472Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MyQtip \u2013 easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin MyQtip \u2013 easy qTip2 para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'myqtip' del plugin en todas las versiones hasta la 2.0.5, inclusive, debido a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida inadecuado en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de nivel de colaborador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1574", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-07T08:16:09.933", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/myqtip-easy-qtip2/tags/2.0.5/includes/register_shortcode.php#L11"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5035d412-861a-4a31-b5e5-378fc4962d90?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MyQtip \u2013 easy qTip2", "source": "cna", "vendor": "dgamoni"}, "product": "myqtip_\u2013_easy_qtip2", "vendor": "dgamoni"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:47:28.412732+00:00", "value": {"mitigation_remediation": ["Update the MyQtip \u2013 easy qTip2 plugin to the latest release that removes the vulnerable shortcode handling.", "If an immediate patch is not available, revoke or downgrade contributor permissions so only administrators can insert shortcode content.", "Remove any existing posts or pages that contain the malicious \"myqtip\" attribute until the plugin is updated or hard\u2011coded sanitization is added."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting via plugin shortcode"}, "threat_synthesis": {"affected_systems": "MyQtip \u2013 easy qTip2, a WordPress plugin developed by dgamoni. All releases up to and including version 2.0.5 are vulnerable; newer releases that remove the tainted shortcode handling are not affected.", "description_and_impact": "The MyQtip \u2013 easy qTip2 plugin contains a stored cross\u2011site scripting flaw caused by insufficient sanitization of user\u2011supplied attributes in its shortcode. When a contributor or higher\u2011privileged user inserts a malicious script into a page or post via the \"myqtip\" shortcode, the offending code is persisted in the database and will execute in the browser of any visitor who loads that content. This can lead to theft of session tokens, defacement of pages, or the execution of further malicious payloads within the attacker\u2019s own session. The vulnerability is a classic stored XSS and does not provide remote code execution, but it does enable attackers who have content\u2011editing rights to compromise the browsing session of anyone who views the affected page.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1\u202f% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user with contributor level or higher, who can edit or insert content that contains the malicious shortcode. Once inserted, the payload runs automatically for any visitor, making the attack highly effective once the content is published. The best\u2011practice remediation is to apply the vendor\u2019s patch or upgrade to a version that eliminates the vulnerable shortcode processing."}}}}, "created": "2026-03-09T10:05:39.048320+00:00", "updated": "2026-04-15T18:00:15.453991+00:00", "vendors": ["dgamoni", "dgamoni$PRODUCT$myqtip_\u2013_easy_qtip2", "wordpress", "wordpress$PRODUCT$wordpress"]}