CVE-2026-39482
Received Received - Intake
DOM-Based XSS in PublishPress Post Expirator

Publication date: 2026-04-08

Last updated on: 2026-04-13

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator: from n/a through <= 4.9.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39482
EUVD
EUVD-2026-20148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
publishpress post_expirator to 4.9.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to the execution of malicious scripts on your website, which may result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.

This can degrade user trust, harm your website's reputation, and potentially expose users to further attacks.

However, the vulnerability is considered low priority and unlikely to cause significant impact on its own.

It can be leveraged in mass-exploit campaigns targeting many websites indiscriminately.

Mitigation involves updating the plugin to version 4.10.0 or later.

Executive Summary

CVE-2026-39482 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Post Expirator Plugin versions up to and including 4.9.4.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into websites using the vulnerable plugin.

These malicious scripts execute when site visitors access the compromised pages.

Exploitation requires a user with at least Contributor-level privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.

Detection Guidance

This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the WordPress Post Expirator Plugin up to version 4.9.4. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed on web pages.

Since the vulnerability requires user interaction and involves script injection, detection can include checking the plugin version and monitoring web traffic or page source for suspicious scripts.

  • Check the installed version of the Post Expirator plugin via WP-CLI: `wp plugin list | grep post-expirator`
  • Search for suspicious script tags or payloads in the web pages generated by the plugin using tools like curl or wget, e.g., `curl -s https://yourwebsite.com | grep '<script>'`
  • Use browser developer tools or automated scanners to detect DOM-based XSS payloads when interacting with pages that use the plugin.
Mitigation Strategies

The primary and immediate mitigation step is to update the WordPress Post Expirator Plugin to version 4.10.0 or later, where the vulnerability has been patched.

Additionally, consider limiting user privileges to reduce the risk of exploitation, since the vulnerability requires at least Contributor-level user interaction.

Using security services like Patchstack's mitigation services, which include auto-updates for vulnerable plugins, can also help reduce exposure.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39482. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart