WordPress Kanban Boards for WordPress Plugin <= 2.5.20 is vulnerable to Cross Site Scripting (XSS)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Admin-stored XSS in Kanban for WordPress plugin <= 2.5.20 allows attackers to inject scripts into admin pages, potentially compromising site integrity.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Admin-stored XSS in Kanban for WordPress plugin <= 2.5.20 allows attackers to inject scripts into admin pages, potentially compromising site integrity.
Vulnerability
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability exists in the Kanban for WordPress plugin, also known as Kanban Boards for WordPress, up to and including version 2.5.20. The flaw allows users with administrator-level access to inject arbitrary JavaScript into the application's database, which is later executed in the context of other admin users' sessions.
Exploitation
An attacker must first obtain administrator credentials to the WordPress instance. Once authenticated, the attacker can craft a malicious payload that, when saved via the plugin's administrative interfaces, is stored on the server. Any subsequent administrator viewing the affected page will have the payload rendered and executed in their browser, typically without requiring additional user interaction beyond visiting the page.
Impact
Successful exploitation leads to Stored Cross-Site Scripting, enabling the attacker to execute arbitrary JavaScript in the browsers of other administrators. This can result in session hijacking, defacement of admin pages, or further compromise of the WordPress installation by abusing administrative privileges.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of March 7, 2024, due to a security issue, as noted in the advisory [1]. No patched version is available through the official directory. Users are urged to uninstall the plugin immediately. No other mitigation or workaround is provided in the available references, and the plugin is considered end-of-life.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.5.20+ 1 more
- (no CPE)range: <=2.5.20
- (no CPE)range: n/a
Patches
0kanbanThis plugin has been removed from the WordPress.org directory on 2024-03-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.