{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6236", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-13T16:12:39.669Z", "datePublished": "2026-04-22T07:45:42.052Z", "dateUpdated": "2026-04-22T13:51:37.615Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:42.052Z"}, "affected": [{"vendor": "lucdecri", "product": "Posts map", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e02c5817-7a54-4958-a076-71e5e7729cda?source=cve"}, {"url": "https://wordpress.org/plugins/posts-map/"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L78"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "nail majdeddine"}], "timeline": [{"time": "2026-04-21T19:03:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:51:03.183146Z", "id": "CVE-2026-6236", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:51:37.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6236", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:51:03.183146Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:51:28.167Z"}}], "cna": {"title": "Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "nail majdeddine"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "lucdecri", "product": "Posts map", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T19:03:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e02c5817-7a54-4958-a076-71e5e7729cda?source=cve"}, {"url": "https://wordpress.org/plugins/posts-map/"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L78"}], "descriptions": [{"lang": "en", "value": "The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:42.052Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6236", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:51:37.615Z", "dateReserved": "2026-04-13T16:12:39.669Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-22T07:45:42.052Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-6236", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:26.400", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L78"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/posts-map/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e02c5817-7a54-4958-a076-71e5e7729cda?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Posts map", "source": "cna", "vendor": "lucdecri"}, "product": "posts_map", "vendor": "lucdecri"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:36:15.748247+00:00", "value": {"mitigation_remediation": ["Upgrade the Posts map plugin to a version newer than 0.1.3 if an update is available", "If an update cannot be applied, disable or remove the plugin to eliminate the attack vector", "Restrict contributor or higher role users from using the plugin or grant permissions through a role that excludes the \"name\" attribute usage"], "summary": {"action": "Upgrade Plugin", "impact": "Stored cross-site scripting that allows authenticated contributors or higher to inject and execute arbitrary JavaScript on target pages"}, "threat_synthesis": {"affected_systems": "The issue affects the Posts map WordPress plugin developed by lucdecri, with all releases up to and including version 0.1.3. Users who have installed these or earlier versions are at risk if they grant contributor or higher access to the site.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw (CWE\u201179) in the Posts map plugin, caused by insufficient sanitization of the \"name\" shortcode attribute. An attacker who holds contributor or higher privileges can submit content containing malicious scripts that are persisted and rendered on page load, leading to code execution in the browsers of all users who view the affected page.", "risk_and_exploitability": "The vulnerability scores a CVSS of 6.4, indicating moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting limited public exploitation data. Nevertheless, exploitation requires only authenticated access with contributor or higher role, which is commonly assigned for content management. An attacker can exploit the flaw by creating or editing a post that uses the \"name\" attribute, causing the stored script to run whenever any user visits the page. Because the payload runs in the user's browser, it can lead to theft of session cookies, defacement, or further compromise of the victim's system."}}}}, "created": "2026-04-22T09:45:13.082532+00:00", "updated": "2026-04-22T11:43:51.831277+00:00", "vendors": ["lucdecri", "lucdecri$PRODUCT$posts_map", "wordpress", "wordpress$PRODUCT$wordpress"]}