CVE-2026-39482
DOM-Based XSS in PublishPress Post Expirator
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| publishpress | post_expirator | to 4.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39482 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Post Expirator Plugin versions up to and including 4.9.4.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the vulnerable plugin.
These malicious scripts execute when site visitors access the compromised pages.
Exploitation requires a user with at least Contributor-level privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of malicious scripts on your website, which may result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
This can degrade user trust, harm your website's reputation, and potentially expose users to further attacks.
However, the vulnerability is considered low priority and unlikely to cause significant impact on its own.
It can be leveraged in mass-exploit campaigns targeting many websites indiscriminately.
Mitigation involves updating the plugin to version 4.10.0 or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the WordPress Post Expirator Plugin up to version 4.9.4. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed on web pages.
Since the vulnerability requires user interaction and involves script injection, detection can include checking the plugin version and monitoring web traffic or page source for suspicious scripts.
- Check the installed version of the Post Expirator plugin via WP-CLI: `wp plugin list | grep post-expirator`
- Search for suspicious script tags or payloads in the web pages generated by the plugin using tools like curl or wget, e.g., `curl -s https://yourwebsite.com | grep '<script>'`
- Use browser developer tools or automated scanners to detect DOM-based XSS payloads when interacting with pages that use the plugin.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the WordPress Post Expirator Plugin to version 4.10.0 or later, where the vulnerability has been patched.
Additionally, consider limiting user privileges to reduce the risk of exploitation, since the vulnerability requires at least Contributor-level user interaction.
Using security services like Patchstack's mitigation services, which include auto-updates for vulnerable plugins, can also help reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.