{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2502", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T22:02:17.549Z", "datePublished": "2026-02-19T04:36:05.011Z", "dateUpdated": "2026-04-08T16:33:26.164Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:26.164Z"}, "affected": [{"vendor": "yehudah", "product": "xmlrpc attacks blocker", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page."}], "title": "xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/059f0c64-efcc-4b79-81eb-b4ae9e3e2826?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L186"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L269"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L312"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L341"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-02-18T16:00:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:04:10.688082Z", "id": "CVE-2026-2502", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:40:06.750Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:04:10.688082Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:04:12.396Z"}}], "cna": {"title": "xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For'", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "yehudah", "product": "xmlrpc attacks blocker", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T16:00:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/059f0c64-efcc-4b79-81eb-b4ae9e3e2826?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L186"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L269"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L312"}, {"url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L341"}], "descriptions": [{"lang": "en", "value": "The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T04:36:05.011Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2502", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:40:06.750Z", "dateReserved": "2026-02-13T22:02:17.549Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:05.011Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page."}, {"lang": "es", "value": "El plugin xmlrpc attacks blocker para WordPress es vulnerable a cross-site scripting almacenado en versiones hasta la 1.0, inclusive, a trav\u00e9s del encabezado HTTP 'X-Forwarded-For'. Esto se debe a que el plugin conf\u00eda y registra datos de encabezado IP controlados por el atacante y renderiza entradas del registro de depuraci\u00f3n sin escape de salida. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios que se ejecutan cuando un administrador ve la p\u00e1gina del registro de depuraci\u00f3n."}], "id": "CVE-2026-2502", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:46.570", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L186"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L269"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L312"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L341"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/059f0c64-efcc-4b79-81eb-b4ae9e3e2826?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xmlrpc attacks blocker", "source": "cna", "vendor": "yehudah"}, "product": "xmlrpc_attacks_blocker", "vendor": "yehudah"}], "analysis": {"en": {"generated_at": "2026-04-15T20:19:28.654880+00:00", "value": {"mitigation_remediation": ["Upgrade xmlrpc attacks blocker to the latest release, which removes the vulnerability and ensures proper sanitization of the X\u2011Forwarded\u2011For header and escaping of debug log output.", "If an upgrade cannot be performed, disable or restrict access to the debug logging page to trusted users only.", "Uninstall the plugin entirely if it is not required for site functionality."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vulnerability applies to the Yehudah xmlrpc attacks blocker plugin for WordPress, up to and including version 1.0. Sites that have the plugin installed and enabled its debug logging feature are affected; other WordPress plugins or CMS versions are not impacted.", "description_and_impact": "XMLRPC Attacks Blocker, versions 1.0 and earlier, improperly trusts the X\u2011Forwarded\u2011For HTTP header and logs the value without sanitization. When an administrator opens the debug log page, the unescaped header content is rendered as part of the page, allowing an unauthenticated attacker to insert arbitrary JavaScript. This stored cross\u2011site scripting grants the attacker the ability to execute code in the admin context, potentially hijacking sessions, defacing content, or exfiltrating data.", "risk_and_exploitability": "The CVSS score of 6.1 represents a moderate severity, while the EPSS score of less than 1\u202f% indicates that exploitation is currently infrequent. The vulnerability is not present in the CISA KEV catalog. Exploitation requires only that an attacker point a request with a crafted X\u2011Forwarded\u2011For header at the vulnerable site; no authentication is necessary, and the malicious script executes with the privileges of any administrator who views the debug log. Organizations should treat this as a priority for remediation."}}}}, "created": "2026-02-19T10:07:25.921765+00:00", "updated": "2026-04-15T20:30:13.769747+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yehudah", "yehudah$PRODUCT$xmlrpc_attacks_blocker"]}