EIP-2026-113659

PRE-CVE

WordPress Plugin Count Per Day - 'daytoshow' Cross-Site Scripting

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113659. PoCs published by alejandr0.m0f0.

AI-analyzed exploit summary The exploit demonstrates a reflected XSS vulnerability in the Count Per Day WordPress plugin (versions 3.2.5 and prior) by injecting malicious JavaScript via the 'daytoshow' parameter. The payload is executed in the context of the affected site when an authenticated user visits the crafted URL.

Description

WordPress Plugin Count Per Day - 'daytoshow' Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC VERIFIED
by alejandr0.m0f0 · textwebappsphp
https://www.exploit-db.com/exploits/38359

The exploit demonstrates a reflected XSS vulnerability in the Count Per Day WordPress plugin (versions 3.2.5 and prior) by injecting malicious JavaScript via the 'daytoshow' parameter. The payload is executed in the context of the affected site when an authenticated user visits the crafted URL.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Count Per Day WordPress plugin <= 3.2.5
Auth required
Prerequisites: Authenticated access to WordPress admin panel · Victim interaction (clicking a malicious link)
MITRE ATT&CK
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026