{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5717", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-06T18:16:08.166Z", "datePublished": "2026-04-15T07:45:29.078Z", "dateUpdated": "2026-04-15T13:21:29.069Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T07:45:29.078Z"}, "affected": [{"vendor": "knighthawk", "product": "VI: Include Post By", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.4.200706", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e95dc2-0f50-4009-9cc0-a02f9977ce58?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vi-include-post-by/tags/0.4.200706/vi_include_post_by.php#L809"}, {"url": "https://plugins.trac.wordpress.org/browser/vi-include-post-by/trunk/vi_include_post_by.php#L809"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "nail majdeddine"}], "timeline": [{"time": "2026-04-14T19:45:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:21:17.433869Z", "id": "CVE-2026-5717", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:21:29.069Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5717", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:21:17.433869Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:21:22.989Z"}}], "cna": {"title": "VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "nail majdeddine"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "knighthawk", "product": "VI: Include Post By", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.4.200706"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-14T19:45:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e95dc2-0f50-4009-9cc0-a02f9977ce58?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vi-include-post-by/tags/0.4.200706/vi_include_post_by.php#L809"}, {"url": "https://plugins.trac.wordpress.org/browser/vi-include-post-by/trunk/vi_include_post_by.php#L809"}], "descriptions": [{"lang": "en", "value": "The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T07:45:29.078Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5717", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:21:29.069Z", "dateReserved": "2026-04-06T18:16:08.166Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T07:45:29.078Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-5717", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T09:16:33.527", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vi-include-post-by/tags/0.4.200706/vi_include_post_by.php#L809"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vi-include-post-by/trunk/vi_include_post_by.php#L809"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e95dc2-0f50-4009-9cc0-a02f9977ce58?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.200706]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "VI: Include Post By", "source": "cna", "vendor": "knighthawk"}, "product": "vi:_include_post_by", "vendor": "knighthawk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T09:21:19.714112+00:00", "value": {"mitigation_remediation": ["Upgrade the VI: Include Post By plugin to any version newer than 0.4.200706", "If an upgrade is not possible, remove or neutralize the 'class_container' attribute from all 'include-post-by-cat' shortcodes used on the site", "Restrict contributor roles from adding or editing shortcodes, or upgrade their capabilities to prevent injection"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the VI: Include Post By plugin, versions up to and including 0.4.200706, are affected. The plugin, developed by Knighthawk, is distributed through the WordPress plugin repository. Any site that has installed or upgraded the plugin to a version older than or equal to 0.4.200706 may be vulnerable, regardless of the WordPress core version.", "description_and_impact": "The VI: Include Post By WordPress plugin contains a stored cross\u2011site scripting vulnerability that arises when the 'class_container' attribute of the 'include-post-by-cat' shortcode is not properly sanitized or escaped. This flaw allows an attacker with contributor\u2011level access or higher to inject arbitrary JavaScript code that will be executed by any user who views the page containing the malicious content. The weakness is a classic input validation and output encoding issue classified as CWE\u201179.", "risk_and_exploitability": "The vulnerability scores a moderate severity (CVSS\u202f6.4) and lacks an available EPSS score, indicating uncertainty about exploitation frequency. It is not listed in the CISA KEV catalog. Attackers must be authenticated with at least contributor privileges and must be able to insert or edit shortcodes on the site. Once a malicious snippet is stored, any authenticated or unauthenticated visitor to the affected page will run the injected code, potentially leading to session hijacking, data theft, or defacement. Because the injection occurs through a commonly used shortcode, the attack surface is significant across dozens of sites that rely on this plugin."}}}}, "created": "2026-04-15T13:49:14.867104+00:00", "updated": "2026-04-15T14:53:26.918384+00:00", "vendors": ["knighthawk", "knighthawk$PRODUCT$vi:_include_post_by", "wordpress", "wordpress$PRODUCT$wordpress"]}