{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1755", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-02T09:51:51.317Z", "datePublished": "2026-02-03T22:22:47.333Z", "dateUpdated": "2026-04-08T16:44:55.712Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:55.712Z"}, "affected": [{"vendor": "themeisle", "product": "Menu Icons by ThemeIsle", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.13.20", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018_wp_attachment_image_alt\u2019 post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497"}, {"url": "https://plugins.trac.wordpress.org/changeset/3452685/menu-icons"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "timeline": [{"time": "2026-02-02T10:08:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-03T09:50:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T14:33:46.300321Z", "id": "CVE-2026-1755", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T14:35:12.337Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1755", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T14:33:46.300321Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T14:34:54.473Z"}}], "cna": {"title": "Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themeisle", "product": "Menu Icons by ThemeIsle", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.13.20"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-02T10:08:31.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-03T09:50:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497"}, {"url": "https://plugins.trac.wordpress.org/changeset/3452685/menu-icons"}], "descriptions": [{"lang": "en", "value": "The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018_wp_attachment_image_alt\u2019 post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:55.712Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1755", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:55.712Z", "dateReserved": "2026-02-02T09:51:51.317Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-03T22:22:47.333Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018_wp_attachment_image_alt\u2019 post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Menu Icons by ThemeIsle para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del metadato de publicaci\u00f3n '_wp_attachment_image_alt' en todas las versiones hasta la 0.13.20, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de Autor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1755", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-03T23:16:06.633", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3452685/menu-icons"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:07:33.834557+00:00", "value": {"mitigation_remediation": ["Upgrade the Menu Icons by ThemeIsle plugin to the latest version released after 0.13.20, which removes the XSS vulnerability.", "Restrict author\u2011level upload permissions to users who are trusted or to role\u2011based groups until the plugin is updated.", "Implement a Content Security Policy that blocks inline scripts and restricts script sources to trusted domains to reduce the impact of any residual XSS for non\u2011patched installations."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress installations that have the Menu Icons by ThemeIsle plugin version 0.13.20 or older, and where the plugin is active, are affected. Sites that allow Author or higher privileged users to upload media or modify the alt text field are at risk.", "description_and_impact": "The Menu Icons by ThemeIsle plugin for WordPress has a stored cross\u2011site scripting vulnerability. The flaw lies in the handling of the \u2018_wp_attachment_image_alt\u2019 post meta field, where input is not properly sanitized or escaped. Attacks require authenticated access with Author\u2011level permissions or higher, and allow the attacker to inject arbitrary web scripts that will execute whenever a page containing that media metadata is loaded by a user.", "risk_and_exploitability": "The CVSS score of 6.4 reflects a moderate severity for this stored XSS flaw. The EPSS score of less than 1% indicates a currently low probability of exploitation. Because the vulnerability requires authenticated access, the attack surface is limited to sites where an attacker can compromise or obtain a user account with Author or higher privileges. The flaw is not listed in the CISA KEV catalog, but any attacker who manages to exercise the required privileges can inject malicious JavaScript that will run in the browsers of visitors to the affected page."}}}}, "created": "2026-02-04T12:05:06.864784+00:00", "updated": "2026-04-16T01:15:20.530797+00:00", "vendors": ["themeisle", "themeisle$PRODUCT$menu_icons", "wordpress", "wordpress$PRODUCT$wordpress"]}