{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22355", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:24.563Z", "datePublished": "2026-01-22T16:52:34.792Z", "dateUpdated": "2026-04-28T16:48:28.925Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-xml-sitemap", "product": "Simple XML Sitemap", "vendor": "gregmolnar", "versions": [{"lessThanOrEqual": "1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:55.774Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.<p>This issue affects Simple XML Sitemap: from n/a through <= 1.3.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.330Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve"}], "title": "WordPress Simple XML Sitemap plugin <= 1.3 - CSRF to Stored XSS vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:32:44.009407Z", "id": "CVE-2026-22355", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:48:28.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T20:32:44.009407Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:32:40.591Z"}}], "cna": {"title": "WordPress Simple XML Sitemap plugin <= 1.3 - CSRF to Stored XSS vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "gregmolnar", "product": "Simple XML Sitemap", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3"}], "packageName": "simple-xml-sitemap", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:55.774Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.<p>This issue affects Simple XML Sitemap: from n/a through <= 1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:36.310Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22355", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:36.310Z", "dateReserved": "2026-01-07T12:21:24.563Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:34.792Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en gregmolnar Simple XML Sitemap simple-xml-sitemap permite XSS Almacenado. Este problema afecta a Simple XML Sitemap: desde n/a hasta &lt;= 1.3."}], "id": "CVE-2026-22355", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:31.727", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:58:11.868102+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple XML Sitemap plugin to a version newer than 1.3, or disable and remove the plugin if it is no longer required.", "Restrict access to the WordPress admin area to trusted users only and log out after finishing administrative tasks to limit the surface area for CSRF attacks.", "Implement a CSRF protection measure such as adding a nonce to the plugin\u2019s form submissions or sanitizing any user\u2011supplied data before storing it to eliminate the stored XSS vector."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites using the gregmolnar Simple XML Sitemap plugin version 1.3 or earlier are affected. No specific version numbers are provided beyond the major release threshold; any deployment of the plugin prior to upgrading past 1.3 is susceptible.", "description_and_impact": "The Simple XML Sitemap plugin for WordPress is vulnerable to a Cross\u2011Site Request Forgery weakness that allows an attacker to store malicious script code in the site\u2019s database. This stored XSS can execute when an authenticated administrator or a visitor views the affected page, potentially leading to session hijacking, defacement, or credential theft. The weakness is classified as CWE\u2011352 and reflects the lack of proper CSRF protection for inputs that later are reinjected into the page without sanitization.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate\u2011to\u2011high severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no publicly known exploit code. An attacker would need to get the target to trigger the CSRF request, which could be achieved via a crafted link or malicious email; once the XSS payload is stored, it can affect any page that loads the vulnerable data."}}}}, "created": "2026-01-23T16:27:48.685153+00:00", "updated": "2026-04-16T18:00:11.189813+00:00", "vendors": ["gregmolnar", "gregmolnar$PRODUCT$simple_xml_sitemap", "wordpress", "wordpress$PRODUCT$wordpress"]}