CVE-2026-6704

The Blog Settings plugin for WordPress, in all versions up to and including 1.0, is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to properly sanitize user input and escape output when handling the 'page' parameter. This insufficient validation allows an attacker to inject arbitrary web scripts into the page that will be reflected back to the user.

To exploit this vulnerability, an unauthenticated attacker must trick a user into clicking a crafted link. The attacker does not need any special network position or authentication; the attack is performed remotely by sending a malicious URL to the victim. The injected script executes in the context of the victim's browser session on the affected WordPress site.

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the site, or redirection to malicious sites. The impact is limited by the need for user interaction, but the attack surface is broad because no prior authentication is required.

The plugin has been closed as of April 29, 2026, pending a full review [1]. Users are advised to remove or replace the plugin immediately, as no patched version is available. No workaround has been provided, and the vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.