WPCode < 2.0.13.1 - Reflected XSS
Description
The WPCode WordPress plugin before 2.0.13.1 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WPCode before 2.0.13.1 fails to escape generated URLs, allowing reflected XSS via crafted links.
Vulnerability
The WPCode WordPress plugin (formerly Insert Headers and Footers) versions prior to 2.0.13.1 contain a reflected cross-site scripting vulnerability. The plugin outputs generated URLs in HTML attributes without proper escaping, enabling injection of arbitrary JavaScript. An attacker can craft a malicious link that, when visited by a logged-in administrator, executes script in the context of the admin session [1].
Exploitation
An attacker needs to trick a WordPress administrator with the plugin installed into clicking a crafted link. No special network position is required beyond standard web access. The malicious URL contains a payload that is reflected back into the page's response, leading to script execution in the victim's browser [1].
Impact
Successful exploitation results in reflected cross-site scripting (XSS) within the WordPress admin area. An attacker can execute arbitrary JavaScript in the victim's session, potentially allowing privilege escalation, sensitive data theft, or further compromise of the WordPress installation. The CVSS score is 7.1 (high) [1].
Mitigation
The vulnerability is fixed in WPCode version 2.0.13.1. Users should update to this version or later. No workarounds are known. The plugin's changelog and advisories confirm the fix [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/WPCodedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin does not escape generated URLs before outputting them in HTML attributes, allowing an attacker to inject arbitrary JavaScript."
Attack vector
An attacker crafts a malicious URL containing a JavaScript payload (e.g., `javascript:alert(1)` or an event handler like `onmouseover`) and tricks a logged-in administrator into clicking it. The WPCode plugin outputs this unescaped URL inside an HTML attribute, causing the browser to execute the attacker's script in the context of the victim's WordPress admin session [ref_id=1]. This is a reflected cross-site scripting attack (CWE-79) that requires no special privileges from the attacker beyond the ability to deliver the crafted link.
Affected code
The advisory does not specify exact file paths or function names. The vulnerable code resides in the WPCode plugin (slug: insert-headers-and-footers) versions before 2.0.13.1, where generated URLs are output in HTML attributes without proper escaping [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 2.0.13.1 [ref_id=1]. The fix ensures that generated URLs are properly escaped before being output in HTML attributes, preventing injection of arbitrary JavaScript. No patch diff is available in the bundle, but the remediation guidance is to update to version 2.0.13.1 or later.
Preconditions
- configThe target site must be running WPCode plugin version prior to 2.0.13.1
- authA logged-in administrator must click a crafted link
- networkAttacker must be able to deliver a malicious URL to the victim (e.g., via email, social engineering)
- inputThe malicious payload is supplied via a URL parameter that the plugin reflects unescaped into an HTML attribute
Reproduction
The advisory at [ref_id=1] does not include explicit reproduction steps beyond the description. No standalone PoC code is provided in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/89570379-769b-4684-b8a7-28c37b408e5dmitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.