EIP-2026-113594

PRE-CVE

WordPress Plugin Better WP Security 3.4.8/3.4.9/3.4.10/3.5.2/3.5.3 - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113594. PoCs published by Richard Warren.

AI-analyzed exploit summary The writeup details an unauthenticated stored XSS vulnerability in the Bit51 Better WP Security Plugin, where malicious payloads can be injected via 404 error logs and executed when viewed by an admin. The technical analysis includes a proof-of-concept request demonstrating the exploit.

Description

WordPress Plugin Better WP Security 3.4.8/3.4.9/3.4.10/3.5.2/3.5.3 - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP

by Richard Warren · textwebappsphp

https://www.exploit-db.com/exploits/27290

View Code ZIP pw:eip

The writeup details an unauthenticated stored XSS vulnerability in the Bit51 Better WP Security Plugin, where malicious payloads can be injected via 404 error logs and executed when viewed by an admin. The technical analysis includes a proof-of-concept request demonstrating the exploit.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Bit51 Better WP Security Plugin Version 3.4.8/3.4.9/3.4.10/3.5.2/3.5.3

No auth needed

Prerequisites: Access to the target WordPress site · Admin interaction to view logs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026