CVE-2026-9104
Stored XSS in Draft List WordPress Plugin
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | draft_list | to 2.6.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting via draft post titles in the Draft List plugin for WordPress up to version 2.6.3. Detection involves identifying draft post titles containing suspicious or malicious scripts that could execute when viewed by users without edit capabilities.
Since the vulnerability is triggered by draft post titles, you can inspect the WordPress database for draft posts with unusual or script-like content in their titles.
A possible command to detect suspicious draft post titles via direct database query (assuming access to the WordPress database) is:
- SELECT ID, post_title FROM wp_posts WHERE post_status = 'draft' AND post_title LIKE '%<script>%';
Additionally, monitoring HTTP traffic for suspicious payloads or unexpected script injections in pages displaying draft post titles may help detect exploitation attempts.
Can you explain this vulnerability to me?
The Draft List plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.6.3. This occurs because the plugin does not properly sanitize or escape input in draft post titles.
Authenticated users with author-level access or higher can inject malicious web scripts into draft post titles. These scripts execute whenever a user views the affected page.
The vulnerability is especially dangerous because the malicious scripts can execute for users who do not have edit permissions, including unauthenticated users and subscribers, through attribute-breakout techniques.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website, potentially leading to theft of user credentials, session hijacking, or unauthorized actions performed on behalf of users.
Because the malicious scripts can run for unauthenticated users and subscribers, it increases the risk of widespread exploitation and compromise of user data.
The vulnerability has a CVSS v3.1 base score of 6.4, indicating a medium severity with network attack vector, low attack complexity, and no user interaction required.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the immediate step is to update the Draft List plugin to a version later than 2.6.3 where the input sanitization and output escaping issues are fixed.
If an update is not immediately possible, restrict author-level access and above to trusted users only, as the vulnerability requires authenticated users with author-level permissions to inject malicious scripts.
Additionally, review and sanitize draft post titles manually to remove any suspicious scripts or payloads.
Implement web application firewall (WAF) rules to detect and block attempts to inject or execute malicious scripts via draft post titles.