CVE-2026-9271
Received Received - Intake
Remote Code Execution in WordPress Plugin

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: WPScan

Description
Vulnerability Title
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-9271
EUVD
EUVD-2026-36388
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keepinmind dashboard_notes to 0.8.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The KeepInMind – Dashboard Notes plugin for WordPress, versions 0.8.4.2 and below, contains a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-9271).

This vulnerability allows attackers with low-privileged roles, such as Contributors, to inject malicious scripts into notes through the REST API because the plugin does not properly sanitize the 'content' parameter.

The improper sanitization permits dangerous CSS properties like 'position: fixed', 'z-index', and viewport units, which attackers use to manipulate the user interface.

When an Administrator views the dashboard, the injected malicious payload executes, displaying a fake 'Session Expired' prompt that tricks the administrator into entering their credentials on an attacker-controlled server.

Impact Analysis

This vulnerability can lead to Administrative Account Takeover (ATO), allowing attackers to gain full control over the WordPress backend.

Additionally, it can cause a persistent Denial of Service (DoS) by blocking access to the WordPress backend through UI manipulation.

Detection Guidance

This vulnerability affects the KeepInMind – Dashboard Notes WordPress plugin, versions 0.8.4.2 and below. Detection involves checking the installed plugin version and inspecting for malicious script injections in notes via the REST API.

You can detect the vulnerability by verifying the plugin version installed on your WordPress site. If it is version 0.8.4.2 or below, it is vulnerable.

To check the plugin version, you can use WP-CLI commands such as:

  • wp plugin list --status=active
  • wp plugin get keepinmind-dashboard-notes --field=version

Additionally, you can monitor REST API requests to the notes endpoint for suspicious content in the `content` parameter that includes dangerous CSS properties like `position: fixed`, `z-index`, or viewport units.

Mitigation Strategies

The immediate mitigation step is to update the KeepInMind – Dashboard Notes plugin to version 0.8.4.2 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict low-privileged user roles (such as Contributors) from accessing or using the Dashboard Notes plugin features to prevent exploitation.

Also, monitor for any suspicious activity or unauthorized script injections in the notes via the REST API and consider temporarily disabling the plugin if exploitation is suspected.

Compliance Impact

The vulnerability allows attackers to perform Administrative Account Takeover (ATO) by injecting malicious scripts that trick administrators into revealing credentials. This can lead to unauthorized access to sensitive data and persistent Denial of Service (DoS) on the WordPress backend.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls against unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart