{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28126", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:12.838Z", "datePublished": "2026-03-05T05:54:30.292Z", "dateUpdated": "2026-04-28T17:47:38.068Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "rh-frontend", "product": "RH Frontend Publishing Pro", "vendor": "sizam", "versions": [{"changes": [{"at": "4.3.4", "status": "unaffected"}], "lessThanOrEqual": "4.3.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:53.006Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam RH Frontend Publishing Pro rh-frontend allows Reflected XSS.<p>This issue affects RH Frontend Publishing Pro: from n/a through < 4.3.4.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam RH Frontend Publishing Pro rh-frontend allows Reflected XSS.This issue affects RH Frontend Publishing Pro: from n/a through < 4.3.4."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:08.675Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/rh-frontend/vulnerability/wordpress-rh-frontend-publishing-pro-plugin-4-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress RH Frontend Publishing Pro plugin < 4.3.4 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T14:57:10.377029Z", "id": "CVE-2026-28126", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:47:38.068Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-28126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T14:57:10.377029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:56:32.385Z"}}], "cna": {"title": "WordPress RH Frontend Publishing Pro plugin < 4.3.4 - Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rafie Muhammad | Patchstack Threat Intelligence"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sizam", "product": "RH Frontend Publishing Pro", "versions": [{"status": "affected", "changes": [{"at": "4.3.4", "status": "unaffected"}], "version": "n/a", "lessThan": "4.3.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress RH Frontend Publishing Pro plugin to the latest available version (at least 4.3.4).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress RH Frontend Publishing Pro plugin to the latest available version (at least 4.3.4).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/rh-frontend/vulnerability/wordpress-rh-frontend-publishing-pro-plugin-4-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sizam RH Frontend Publishing Pro allows Reflected XSS.This issue affects RH Frontend Publishing Pro: from n/a before 4.3.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sizam RH Frontend Publishing Pro allows Reflected XSS.<p>This issue affects RH Frontend Publishing Pro: from n/a before 4.3.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-23T10:57:12.687Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28126", "state": "PUBLISHED", "dateUpdated": "2026-03-23T10:57:12.687Z", "dateReserved": "2026-02-25T12:14:12.838Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:30.292Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam RH Frontend Publishing Pro rh-frontend allows Reflected XSS.This issue affects RH Frontend Publishing Pro: from n/a through < 4.3.4."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en sizam RH Frontend Publishing Pro rh-frontend permite XSS Reflejado. Este problema afecta a RH Frontend Publishing Pro: desde n/a hasta &lt;= 4.3.2."}], "id": "CVE-2026-28126", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:47.403", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/rh-frontend/vulnerability/wordpress-rh-frontend-publishing-pro-plugin-4-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "RH Frontend Publishing Pro", "source": "cna", "vendor": "sizam"}, "product": "rh_frontend_publishing_pro", "vendor": "sizam"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T19:56:42.435212+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update to version\u202f4.3.4 or later; this release removes the reflected XSS vector.", "If immediate update is not feasible, disable or uninstall the RH Frontend Publishing Pro plugin to eliminate the exploitable code path.", "As a temporary workaround, limit or filter input passed to the plugin\u2019s frontend forms, ensuring that data is properly escaped before rendering, to mitigate the XSS risk until a patch is applied."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The flaw affects the RH Frontend Publishing Pro plugin developed by Sizam, specifically all versions before 4.3.4. The plugin has no versions listed as fixed in the vendor release notes, so any installation of 4.3.3 or earlier remains vulnerable. No other plugins or themes share this issue based on the current CNA data.", "description_and_impact": "Improper neutralization of user input during web page generation creates a reflected XSS flaw. The vulnerability allows an attacker to inject arbitrary script into a page viewed by an authenticated or unauthenticated user, potentially leading to session hijacking, defacement, or manipulation of form submissions. This weakness is classified as CWE\u201179 and satisfies the core criteria for reflected XSS.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates moderate to high severity. The EPSS score is reported as less than 1\u202f%, indicating a low probability of exploitation at the time of analysis. The vulnerability is not identified in CISA\u2019s KEV catalog. The attack vector is inferred to be a reflected XSS attack, most likely triggered by sending a malicious URL or input to a frontend form rendered by the plugin. Because the flaw relies on user control over input and lack of proper output encoding, any authenticated or unauthenticated visitor to a vulnerable page could be impacted."}}}}, "created": "2026-03-06T15:08:16.191164+00:00", "updated": "2026-04-15T20:00:06.627892+00:00", "vendors": ["sizam", "sizam$PRODUCT$rh_frontend_publishing_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}