{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1796", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T09:00:53.484Z", "datePublished": "2026-02-14T06:42:24.992Z", "dateUpdated": "2026-04-08T16:32:47.680Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:47.680Z"}, "affected": [{"vendor": "indextwo", "product": "StyleBidet", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/030d4038-cf31-4ad9-a89a-6cf5f6177c2e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/stylebidet/tags/1.0.0/stylebidet.php#L309"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2026-01-04T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-13T18:26:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T18:56:19.492618Z", "id": "CVE-2026-1796", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T18:56:27.470Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1796", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T18:56:19.492618Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T18:56:24.133Z"}}], "cna": {"title": "StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "indextwo", "product": "StyleBidet", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-04T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-13T18:26:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/030d4038-cf31-4ad9-a89a-6cf5f6177c2e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/stylebidet/tags/1.0.0/stylebidet.php#L309"}], "descriptions": [{"lang": "en", "value": "The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:47.680Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1796", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:47.680Z", "dateReserved": "2026-02-03T09:00:53.484Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:24.992Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin StyleBidet para WordPress es vulnerable a Cross-Site Scripting Reflejado a trav\u00e9s de la ruta URL en todas las versiones hasta la 1.0.0, inclusive, debido a la sanitizaci\u00f3n insuficiente de entrada y el escape de salida. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1796", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:10.903", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/stylebidet/tags/1.0.0/stylebidet.php#L309"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/030d4038-cf31-4ad9-a89a-6cf5f6177c2e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0]"}}], "product": "stylebidet", "vendor": "indextwo"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:47:26.042774+00:00", "value": {"mitigation_remediation": ["Upgrade the StyleBidet plugin to version 1.0.1 or later, if available; the vendor has fixed the input validation and output escaping issue.", "If an immediate upgrade is not possible, permanently disable the plugin until a patch can be applied.", "Implement a web\u2011application firewall or content\u2011security\u2011policy that blocks or sanitizes user\u2011supplied URLs to prevent script injection."], "summary": {"action": "Patch Quickly", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin StyleBidet (indextwo:StyleBidet). All released versions up to and including 1.0.0 are impacted. No specific version numbers beyond the general upper bound are listed, so any deployment of a pre\u20111.0.0 build must be considered vulnerable.", "description_and_impact": "An attacker can craft a URL that inserts arbitrary JavaScript into the page when the victim clicks the link. The vulnerability exists in all versions up to 1.0.0 of the StyleBidet WordPress plugin and is caused by insufficient input sanitization and output escaping. An unauthenticated user can exploit it by sending a malicious link to any visitor of the site, leading to potential theft of session cookies, defacement, or drive\u2011by compromise. The weakness is a classic reflected XSS (CWE\u201179).", "risk_and_exploitability": "The CVSS base score of 6.1 indicates medium severity; the EPSS score below 1\u202f% suggests that exploit probability is currently very low, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The attack requires the victim to click a crafted link, a common social\u2011engineering vector. Once a victim executes the injected script in their browser, the attacker can execute arbitrary actions inside the context of the site\u2019s domain. While the likelihood of widespread exploitation is low, the impact to a compromised user can be significant, especially on sites where users have administrative privileges."}}}}, "created": "2026-02-16T12:03:12.620422+00:00", "updated": "2026-04-16T01:00:19.947672+00:00", "vendors": ["indextwo", "indextwo$PRODUCT$stylebidet", "wordpress", "wordpress$PRODUCT$wordpress"]}