CVE-2026-10089
MEDIUMCVSS v3.1: 6.4 · EPSS: 0.0022 (12.2 percentile)
Source data as of:
At a glance
- Severity
- MEDIUM
- CVSS
- 6.4 v3.1 · NVD
- EPSS
- 0.0022 (12.2 percentile) · FIRST.org
- CISA KEV
- No
- Type
- XSS · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo user interaction · Source: NVD Vector
- Published
- 2026-07-02 · Modified: 2026-07-02
- References
- Jump to references (8)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Reference https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L1771
- Reference https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L1789
- Reference https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L768
- Reference https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L1771
- Reference https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L1789
- Reference https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L768
- Reference https://plugins.trac.wordpress.org/changeset/3579298
- Vendor advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/a4246181-d331-46b0-ad48-e2ece11b…