CVE-2026-0594
Medium
Low
Medium
High
Critical
6.1
CVSS Score
Published: Jan 14, 2026
Last Modified: Jan 14, 2026
Vulnerability Description
The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
R
Scope
C
Confidentiality
L
Integrity
L
Availability
N
References & Resources
-
https://plugins.trac.wordpress.org/browser/list-site-contributors/tags/1.1.8/list-site-contributors.php#L435security@wordfence.com
-
https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php#L435security@wordfence.com
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cvesecurity@wordfence.com
Severity Details
6.1
out of 10.0
Medium
Key Information
- Published Date
- January 14, 2026
