CVE-2026-39708

The UiCore Elements plugin for WordPress versions up to 1.3.14 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows input to be stored without sanitization and later executed in the browser of users who view the affected page.

To exploit this vulnerability, an attacker must be an authenticated user with at least Contributor-level privileges. The attacker injects malicious HTML or JavaScript into input fields, which is stored and then executed when other users or visitors access the compromised page. No special network access is required beyond standard WordPress admin capabilities [1].

Successful exploitation enables an attacker to perform actions such as session hijacking, website defacement, redirecting visitors to malicious sites, or delivering additional payloads. Because the XSS is stored, the attack can persist and affect multiple users without requiring them to click a separate malicious link [1].

The vendor has released a patched version (1.3.15 or later) to address this issue. Users are strongly recommended to update immediately. If updating is not possible, consult a hosting provider or web developer for assistance [1].