EIP-2026-113629
PRE-CVEWordPress Plugin Cimy Counter 0.9.4 - HTTP Response Splitting / Cross-Site Scripting
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-113629. PoCs published by MustLive.
AI-analyzed exploit summary The exploit demonstrates HTTP response-splitting and XSS vulnerabilities in Cimy Counter for WordPress by crafting malicious URIs that inject arbitrary headers or script code via unsanitized input in the 'cc' and 'fn' parameters.
Description
WordPress Plugin Cimy Counter 0.9.4 - HTTP Response Splitting / Cross-Site Scripting
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by MustLive · textwebappsphp
https://www.exploit-db.com/exploits/34195
The exploit demonstrates HTTP response-splitting and XSS vulnerabilities in Cimy Counter for WordPress by crafting malicious URIs that inject arbitrary headers or script code via unsanitized input in the 'cc' and 'fn' parameters.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Cimy Counter for WordPress < 0.9.5
No auth needed
Prerequisites:
Target running vulnerable version of Cimy Counter for WordPress · Ability to craft malicious URIs
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026