anonhaven
Ad

CVE-2026-0867

MEDIUM CVSS 3.1: 6.4 EPSS 0.01%
Updated Feb 05, 2026
WordPress
Parameter Value
CVSS 6.4 (MEDIUM)
Fixed In 3.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor WordPress
Public PoC No

The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 3.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 3

https://plugins.trac.wordpress.org/changeset/3440541/essential-widgets
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3447282/essential-widgets
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/08d4ed49-1338-422f-b5…
security@wordfence.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-4063

WordPress

4.3

CVE-2026-3986

WordPress

6.4

CVE-2026-3891

WordPress

9.8

CVE-2026-3045

WordPress

7.5

CVE-2026-32448

WordPress

6.5