CVE-2026-1268
Stored XSS in Dynamic Widget Content Plugin via Gutenberg Sidebar
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | dynamic_widget_content | to 1.3.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the widget content field in the Gutenberg editor sidebar in all versions up to and including 1.3.6.
This vulnerability occurs because of insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts.
These injected scripts execute whenever any user accesses the page containing the injected widget content.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject malicious scripts into pages via the widget content field.
When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.
Because the vulnerability is a Stored Cross-Site Scripting issue, the impact includes compromise of user data confidentiality and integrity within the affected WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the widget content field in the Gutenberg editor sidebar of the Dynamic Widget Content WordPress plugin. Detection would involve identifying injected malicious scripts in widget content fields.
Since the vulnerability requires authenticated access with Contributor-level permissions or higher, detection can include reviewing widget content fields for suspicious or unexpected HTML or JavaScript code.
There are no specific commands provided in the available resources or CVE description to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the Dynamic Widget Content plugin up to and including version 1.3.6.
Immediate mitigation involves updating the plugin to version 1.3.7 or later, which includes changes that enhance input sanitization and output escaping, thereby addressing the vulnerability.
Additionally, restrict Contributor-level and higher access to trusted users only, as the vulnerability requires authenticated access at this level.