CVE-2026-9620

WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field() and loop() functions, which extract the raw src attribute value from <img> tags within post_content using a regular expression and then reconstruct new <img> elements or CSS background-image declarations by directly concatenating the unescaped value — bypassing WordPress's kses filtering entirely. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.0.11
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginwp-latest-posts
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept payloads, or step-by-step guides for exploiting specific software vulnerabilities. For information on how to secure WordPress code against vulnerabilities like Cross-Site Scripting (XSS), I…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept payloads, or step-by-step guides for exploiting specific software vulnerabilities. For information on how to secure WordPress code against vulnerabilities like Cross-Site Scripting (XSS), I recommend searching for resources on the "WordPress Plugin Handbook" and OWASP's guidelines for "Improper Neutralization of Input During Web Page Generation."

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Latest Posts plugin for WordPress (<= 5.0.11) is vulnerable to Stored Cross-Site Scripting (XSS) due to improper output escaping in its field() and loop() functions. These functions extract image src attributes from post content via regular expressions and render them into new HTML/CSS output without sanitization, bypassing standard WordPress kses filtering.

Security Fix

--- wp-latest-posts/inc/functions.php
+++ wp-latest-posts/inc/functions.php
@@ -... @@
- $extracted_src = $matches['src'];
- echo '<img src="' . $extracted_src . '"';
+ $extracted_src = esc_url($matches['src']);
+ echo '<img src="' . $extracted_src . '"';
@@ -... @@
- echo 'style="background-image: url(' . $matches['src'] . ')"';
+ echo 'style="background-image: url(' . esc_url($matches['src']) . ')"';

Exploit Outline

An authenticated user with Author-level permissions or higher creates a post containing an <img> tag with a crafted src attribute (e.g., <img src='" onerror="alert(domain)"'>). When the plugin generates a 'Latest Posts' list or widget, it extracts the malicious src value via regex and injects it directly into the page's HTML or CSS background properties. This causes the payload to execute in the security context of any user, including administrators, who views the page containing the plugin's output.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.