CVE-2026-2466
Received Received - Intake

Reflected XSS in DukaPress Plugin Allows Admin Account Attacks

Vulnerability report for CVE-2026-2466, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: WPScan

Description

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-07-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dukapress dukapress to 3.2.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2466 is a Reflected Cross-Site Scripting (XSS) vulnerability in the DukaPress WordPress plugin versions up to and including 3.2.4.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the plugin does not properly sanitize and escape a parameter before outputting it back to the page. This allows attackers to inject malicious JavaScript code that executes in the context of users who view the affected page.'}, {'type': 'paragraph', 'content': "Specifically, an attacker can submit a crafted request with a malicious payload in the 'price' parameter to the plugin's AJAX handler, which then reflects this unsanitized input back to the user, triggering the execution of the injected script."}, {'type': 'paragraph', 'content': 'This flaw is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and is part of the OWASP Top 10 category A7 - Cross-Site Scripting (XSS).'}] [1]

Impact Analysis

This vulnerability can have serious impacts, especially for high-privilege users such as administrators.

  • Execution of arbitrary JavaScript code in the context of authenticated users.
  • Potential session hijacking, allowing attackers to take over user sessions.
  • Privilege escalation, where attackers could gain higher access rights.
  • Other attacks targeting admin users that could compromise the security and integrity of the WordPress site.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a crafted POST request to the plugin's AJAX handler endpoint and observing if the input is reflected unsanitized in the response, indicating a Reflected Cross-Site Scripting (XSS) flaw."}, {'type': 'paragraph', 'content': 'A suggested command to test this is using curl to submit a malicious payload in the `price` parameter to the `admin-ajax.php?action=dpsc_format_price` endpoint. For example:'}, {'type': 'list_item', 'content': 'curl -X POST -d "price=<script>alert(\'XSS\')</script>" https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=dpsc_format_price'}, {'type': 'paragraph', 'content': 'If the response contains the injected script tags without sanitization or escaping, the vulnerability is present.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the WordPress admin area and AJAX endpoints to trusted users only.
  • Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the vulnerable parameter.
  • Avoid using or disable the DukaPress plugin until a fixed version is released.
  • Educate administrators to be cautious of suspicious links or inputs that could trigger the XSS.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart