CVE-2026-2502

MEDIUM

WordPress xmlrpc attacks blocker <=1.0 - XSS

Title source: llm

Description

The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L186

Product

https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L269

Product

https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L312

Product

https://plugins.trac.wordpress.org/browser/xmlrpc-attacks-blocker/tags/1.0/plugin.php#L341

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/059f0c64-efcc-4b79-81eb-b4ae9e3e2826?source=cve

Scores

CVSS v3 6.1

EPSS 0.0027

EPSS Percentile 17.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

yehudah/xmlrpc attacks blocker < 1.0

Published Feb 19, 2026

Tracked Since Feb 19, 2026