CVE-2026-9104

Vulnerability

The Draft List (simple-draft-list) plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the draft post title field. Affected versions are all up to and including 2.6.3 [1][2][3][4]. The vulnerability exists in the create-lists.php file where the $draft_title variable is output without proper sanitization or escaping when the template does not require content counting [1][2][3][4]. An attacker with author-level access or higher can craft a draft post title containing malicious JavaScript payloads, which are then stored and executed when other users view the draft list page.

Exploitation

An authenticated attacker with at least author-level privileges crafts a draft post whose title includes a malicious XSS payload, often using attribute-breakout techniques. When the plugin renders the draft list, the unescaped title is injected into the page HTML. The vulnerable code path is triggered specifically for viewing users who lack edit capabilities (e.g., unauthenticated users or subscribers) [1][2][3][4]. No additional user interaction is required beyond navigating to the page displaying the draft list.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts that execute in the browser of any user viewing the draft list page. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data. The attack achieves information disclosure at the level of the impacted user's session and privileges, potentially compromising the entire WordPress instance if an administrator views the page.

Mitigation

The vendor has released version 2.6.4 which addresses the issue [1][2][3]. Users should update the Draft List plugin to version 2.6.4 or later immediately. No workarounds are provided for older versions. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.