CVE-2026-6704
Reflected Cross-Site Scripting in Blog Settings WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| muki_dam | blog_settings | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Blog Settings plugin for WordPress has a vulnerability known as Reflected Cross-Site Scripting (XSS) in the 'page' parameter in all versions up to and including 1.0.
This vulnerability exists because the plugin does not properly sanitize input or escape output, allowing attackers to inject malicious web scripts.
An unauthenticated attacker can exploit this by tricking a user into clicking a specially crafted link, causing the injected script to execute in the user's browser.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website when a user interacts with a malicious link.
Potential impacts include theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites.
Since the attack requires user interaction (clicking a link), it relies on social engineering to be effective.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Reflected Cross-Site Scripting (XSS) via the 'page' parameter in the Blog Settings WordPress plugin. Detection typically involves testing the 'page' parameter for injection of arbitrary scripts that get reflected in the response.
A common approach is to use tools like curl or browser-based testing to inject test scripts and observe if they are executed or reflected without proper sanitization.
- Use curl to send a request with a script payload in the 'page' parameter, for example: curl -G 'http://yourwordpresssite.com/wp-admin/admin.php' --data-urlencode "page=<script>alert('XSS')</script>"
- Use a web proxy or browser developer tools to monitor responses for reflected script tags or suspicious content in the 'page' parameter.
- Employ automated vulnerability scanners that support XSS detection targeting WordPress plugins.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the vulnerable Blog Settings plugin, as it is no longer available for download and is under review.
Ensure that users are cautious about clicking on suspicious links that may exploit this reflected XSS vulnerability.
Keep WordPress and all plugins updated to the latest versions once a patched version of the plugin is released.
Consider implementing web application firewall (WAF) rules to block malicious requests targeting the 'page' parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Blog Settings plugin allows reflected cross-site scripting (XSS) attacks, which can lead to unauthorized script execution in users' browsers. This type of vulnerability can potentially expose user data or lead to unauthorized actions on behalf of users.
Such security weaknesses may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure handling of personal information. Specifically, failure to prevent XSS vulnerabilities could be seen as insufficient security controls, potentially leading to data breaches or unauthorized access.
However, the provided context does not explicitly state the direct impact on compliance with these regulations.