CVE-2026-24576

Vulnerability

Overview

The COP UX Flat plugin for WordPress (versions up to and including 5.4.0) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This is a Stored XSS flaw, meaning the injected script is permanently stored on the server and executed whenever a victim visits the affected page.

Exploitation

Details

To exploit this vulnerability, an attacker must have a privileged user role (e.g., Editor or Administrator) within the WordPress site [1]. The attacker can inject malicious HTML or JavaScript payloads through input fields that are not properly sanitized. Successful exploitation requires a privileged user to perform an action, such as clicking a malicious link or visiting a crafted page, which triggers the stored payload is then executed when any visitor loads the compromised page [1].

Impact

An attacker can inject arbitrary scripts, redirects, advertisements, or other HTML payloads into the website [1]. These scripts execute in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The vulnerability is rated Medium (CVSS 6.5) and is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released a patched version; users are strongly advised to update the UX Flat plugin immediately [1]. If updating is not possible, contact your hosting provider or web developer for assistance. No workaround details are provided in the advisory.