EIP-2026-113518

PRE-CVE

WordPress Plugin 404 to 301 2.2.8 - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113518. PoCs published by Alyssa Milburn.

AI-analyzed exploit summary The advisory details a stored XSS vulnerability in the 404 to 301 WordPress Plugin, where user-controlled input (Referer and User-Agent headers) is not properly escaped in the admin logs. An attacker can inject malicious scripts, which execute when an admin views the logs.

Description

WordPress Plugin 404 to 301 2.2.8 - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP VERIFIED

by Alyssa Milburn · textwebappsphp

https://www.exploit-db.com/exploits/40732

View Code ZIP pw:eip

The advisory details a stored XSS vulnerability in the 404 to 301 WordPress Plugin, where user-controlled input (Referer and User-Agent headers) is not properly escaped in the admin logs. An attacker can inject malicious scripts, which execute when an admin views the logs.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: 404 to 301 WordPress Plugin version 2.2.8

No auth needed

Prerequisites: Access to submit HTTP requests to the target WordPress site

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026