CVE-2026-0594

MEDIUM NUCLEI

WordPress List Site Contributors <1.1.8 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-0594. PoCs published by m4sh-wacker. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Go-based exploit for CVE-2026-0594, a reflected XSS vulnerability in the WordPress 'List Site Contributors' plugin. The exploit automates the discovery of vulnerable endpoints via the WordPress REST API and verifies the reflection of an XSS payload through the 'alpha' parameter.

Description

The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Exploits (1)

nomisec WORKING POC 3 stars

by m4sh-wacker · poc

https://github.com/m4sh-wacker/CVE-2026-0594-ListSiteContributors-Plugin-Exploit

View Code ZIP pw:eip

This repository contains a functional Go-based exploit for CVE-2026-0594, a reflected XSS vulnerability in the WordPress 'List Site Contributors' plugin. The exploit automates the discovery of vulnerable endpoints via the WordPress REST API and verifies the reflection of an XSS payload through the 'alpha' parameter.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: WordPress List Site Contributors Plugin

No auth needed

Prerequisites: Target WordPress site with vulnerable plugin installed · Access to the WordPress REST API

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

WordPress List Site Contributors < 1.1.8 - Reflected XSS

MEDIUMVERIFIEDby m4sh_wacker

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php#L435

Product

https://plugins.trac.wordpress.org/browser/list-site-contributors/tags/1.1.8/list-site-contributors.php#L435

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cve

Scores

CVSS v3 6.1

EPSS 0.0044

EPSS Percentile 63.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

mallsop/List Site Contributors < 1.1.8

Published Jan 14, 2026

Tracked Since Feb 18, 2026