CVE-2026-2502: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in yehudah xmlrpc attacks blocker
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
AI Analysis
Technical Summary
CVE-2026-2502 is a stored cross-site scripting vulnerability in the yehudah xmlrpc attacks blocker WordPress plugin (up to version 1.0). The plugin improperly trusts and logs the 'X-Forwarded-For' HTTP header, which can be attacker-controlled. It then renders these log entries in the debug log page without escaping output, allowing injection of malicious scripts. This vulnerability can be triggered by unauthenticated attackers and leads to script execution in the context of an administrator viewing the logs.
Potential Impact
An unauthenticated attacker can inject arbitrary web scripts that execute in the administrator's browser when viewing the debug log page. This can lead to limited confidentiality and integrity impacts as indicated by the CVSS vector (C:L/I:L/A:N). There is no indication of availability impact or known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid viewing debug logs generated by this plugin or disable the plugin to prevent exploitation. Monitor vendor communications for an official fix or update.
CVE-2026-2502: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in yehudah xmlrpc attacks blocker
Description
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2502 is a stored cross-site scripting vulnerability in the yehudah xmlrpc attacks blocker WordPress plugin (up to version 1.0). The plugin improperly trusts and logs the 'X-Forwarded-For' HTTP header, which can be attacker-controlled. It then renders these log entries in the debug log page without escaping output, allowing injection of malicious scripts. This vulnerability can be triggered by unauthenticated attackers and leads to script execution in the context of an administrator viewing the logs.
Potential Impact
An unauthenticated attacker can inject arbitrary web scripts that execute in the administrator's browser when viewing the debug log page. This can lead to limited confidentiality and integrity impacts as indicated by the CVSS vector (C:L/I:L/A:N). There is no indication of availability impact or known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid viewing debug logs generated by this plugin or disable the plugin to prevent exploitation. Monitor vendor communications for an official fix or update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-13T22:02:17.549Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699697f66aea4a407a3be129
Added to database: 2/19/2026, 4:56:22 AM
Last enriched: 4/9/2026, 10:05:29 PM
Last updated: 5/24/2026, 9:37:56 AM
Views: 120
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.