{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2466", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-02-13T13:35:41.123Z", "datePublished": "2026-03-11T06:00:10.465Z", "dateUpdated": "2026-04-02T12:39:58.040Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:58.040Z"}, "title": "DukaPress <= 3.2.4 - Reflected XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "DukaPress", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "3.2.4"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin."}], "references": [{"url": "https://wpscan.com/vulnerability/2843e8fe-0c02-48ee-ada3-f1c3d1ee73eb/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Vuln Seeker Cyber Security Team", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:35:11.439408Z", "id": "CVE-2026-2466", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:36:05.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2466", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:35:11.439408Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:33:34.012Z"}}], "cna": {"title": "DukaPress <= 3.2.4 - Reflected XSS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Vuln Seeker Cyber Security Team"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "DukaPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.4"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/2843e8fe-0c02-48ee-ada3-f1c3d1ee73eb/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:58.040Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2466", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:58.040Z", "dateReserved": "2026-02-13T13:35:41.123Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-11T06:00:10.465Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin."}, {"lang": "es", "value": "El plugin de WordPress DukaPress hasta la versi\u00f3n 3.2.4 no sanea ni escapa un par\u00e1metro antes de devolverlo en la p\u00e1gina, lo que lleva a un cross-site scripting reflejado que podr\u00eda ser utilizado contra usuarios con altos privilegios como el administrador."}], "id": "CVE-2026-2466", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T06:17:14.240", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/2843e8fe-0c02-48ee-ada3-f1c3d1ee73eb/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.4]"}}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "DukaPress", "source": "cna", "vendor": "Unknown"}, "product": "dukapress", "vendor": "dukapress"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T15:13:13.441308+00:00", "value": {"mitigation_remediation": ["Verify the version of the DukaPress plugin installed on the site.", "Check the plugin\u2019s official website or repository for an update that addresses the reflected XSS flaw.", "Apply the latest patch (a version newer than 3.2.4) or upgrade the plugin to a fixed release if available.", "If no update exists, consider disabling or uninstalling the plugin to remove the vulnerable code path.", "As an interim measure, review and tighten input validation rules and implement web application firewall rules that block script injections in user-supplied parameters."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "All installations of the DukaPress WordPress plugin with versions up to and including 3.2.4 are affected. The vendor is listed as Unknown and no patch version is identified in the supplied data.", "description_and_impact": "The DukaPress WordPress plugin fails to sanitize and escape a parameter before displaying it on the page, allowing an attacker to inject arbitrary JavaScript through crafted requests. The reflected cross\u2011site scripting can run in the victim\u2019s browser, potentially creating session hijacking, cookie theft, or execution of privileged actions on behalf of high\u2011privilege users such as administrators.", "risk_and_exploitability": "The CVSS score of 7.1 labels this vulnerability as High severity, while its EPSS score of less than 1% and absence from the KEV catalog suggest a low likelihood of immediate exploitation in the wild. Nevertheless, attackers can exploit this flaw remotely by crafting a malicious payload that is reflected in the plugin\u2019s output, thereby affecting users with administrative privileges. The high impact to privileged accounts warrants prompt remediation."}}}}, "created": "2026-03-12T10:06:25.445445+00:00", "updated": "2026-03-20T14:37:46.319406+00:00", "vendors": ["dukapress", "dukapress$PRODUCT$dukapress", "wordpress", "wordpress$PRODUCT$wordpress"]}