WordPress Exxp Plugin <= 2.6.8 is vulnerable to Cross Site Scripting (XSS)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Stored XSS in Exxp plugin <=2.6.8 allows authenticated subscribers to inject malicious scripts, potentially compromising site visitors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Exxp plugin <=2.6.8 allows authenticated subscribers to inject malicious scripts, potentially compromising site visitors.
Vulnerability
The Exxp plugin for WordPress versions 2.6.8 and earlier is vulnerable to stored cross-site scripting (XSS). An authenticated user with subscriber-level privileges can inject arbitrary JavaScript into a field that is later displayed to other users. The vulnerability is present due to insufficient input sanitization and output escaping. The plugin has been closed and removed from the WordPress plugin directory as of March 7, 2024, citing a security issue [1].
Exploitation
To exploit this vulnerability, an attacker must have at least a subscriber account on the WordPress site. The attacker crafts a payload containing malicious JavaScript and submits it via a vulnerable field in the plugin. Subsequently, when other users (including administrators) view the page containing that field, the script executes in their browser. No additional user interaction beyond normal page navigation is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript within the context of the victim's browser. This can lead to session cookie theft, redirection to malicious sites, defacement, or extraction of sensitive information. The attack can affect any user who views the compromised content, including site administrators, thereby escalating privileges beyond the subscriber role.
Mitigation
No patched version of the plugin is available; the plugin has been permanently closed and removed from the WordPress.org repository due to a security issue [1]. Users are strongly advised to uninstall the plugin immediately. As there is no fix, the only mitigation is to remove the plugin entirely from the site.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.6.8+ 1 more
- (no CPE)range: <=2.6.8
- (no CPE)range: n/a
Patches
0exxp-wpThis plugin has been removed from the WordPress.org directory on 2024-03-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.