EIP-2026-113629

PRE-CVE

WordPress Plugin Cimy Counter 0.9.4 - HTTP Response Splitting / Cross-Site Scripting

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113629. PoCs published by MustLive.

AI-analyzed exploit summary The exploit demonstrates HTTP response-splitting and XSS vulnerabilities in Cimy Counter for WordPress by crafting malicious URIs that inject arbitrary headers or script code via unsanitized input in the 'cc' and 'fn' parameters.

Description

WordPress Plugin Cimy Counter 0.9.4 - HTTP Response Splitting / Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC VERIFIED
by MustLive · textwebappsphp
https://www.exploit-db.com/exploits/34195

The exploit demonstrates HTTP response-splitting and XSS vulnerabilities in Cimy Counter for WordPress by crafting malicious URIs that inject arbitrary headers or script code via unsanitized input in the 'cc' and 'fn' parameters.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Cimy Counter for WordPress < 0.9.5
No auth needed
Prerequisites: Target running vulnerable version of Cimy Counter for WordPress · Ability to craft malicious URIs
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026