{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5506", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-03T16:32:34.231Z", "datePublished": "2026-04-08T06:43:42.081Z", "dateUpdated": "2026-04-08T17:26:54.613Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:54.613Z"}, "affected": [{"vendor": "lucascaro", "product": "Wavr", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8987bc5-2bc0-4a92-bcf0-cc3245e15bed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/tags/0.2.6/wavr.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/trunk/wavr.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/tags/0.2.6/wavr.php#L99"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/trunk/wavr.php#L99"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2026-04-07T17:37:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T13:54:04.061242Z", "id": "CVE-2026-5506", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:54:12.421Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5506", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T13:54:04.061242Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:54:08.524Z"}}], "cna": {"title": "Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "lucascaro", "product": "Wavr", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-07T17:37:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8987bc5-2bc0-4a92-bcf0-cc3245e15bed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/tags/0.2.6/wavr.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/trunk/wavr.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/tags/0.2.6/wavr.php#L99"}, {"url": "https://plugins.trac.wordpress.org/browser/wavr/trunk/wavr.php#L99"}], "descriptions": [{"lang": "en", "value": "The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T06:43:42.081Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5506", "state": "PUBLISHED", "dateUpdated": "2026-04-08T13:54:12.421Z", "dateReserved": "2026-04-03T16:32:34.231Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:42.081Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-5506", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:23.203", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wavr/tags/0.2.6/wavr.php#L82"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wavr/tags/0.2.6/wavr.php#L99"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wavr/trunk/wavr.php#L82"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wavr/trunk/wavr.php#L99"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8987bc5-2bc0-4a92-bcf0-cc3245e15bed?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Wavr", "source": "cna", "vendor": "lucascaro"}, "product": "wavr", "vendor": "lucascaro"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:51:21.142871+00:00", "value": {"mitigation_remediation": ["Upgrade the Wavr plugin to a patched version (0.2.7 or later).", "If an upgrade is not feasible, disable or remove the wave shortcode from content to prevent XSS."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress installations that use the Wavr plugin version 0.2.6 or earlier. The vendor is lucascaro. All releases up to and including that version are impacted, as the source code shown in the references contains the vulnerable functions. Sites that still run any of these versions, regardless of their specific WordPress version, are susceptible.", "description_and_impact": "The vulnerability arises from the Wavr plugin's `wave` shortcode not properly sanitizing and escaping user\u2011provided attributes. An authenticated user with contributor or higher privileges can embed arbitrary JavaScript that is stored and executed whenever a page containing the shortcode is accessed. This results in persistent cross\u2011site scripting, allowing the attacker to steal session cookies, inject tracking scripts, or perform other malicious actions on behalf of site visitors.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate impact, and the requirement of authenticated contributor access limits the attack surface to users with site privileges. Because there is no EPSS score and no listing in KEV, the likelihood of exploitation is uncertain, but the potential impact on confidentiality, integrity, and availability of all site visitors is significant. The vulnerability is therefore a moderate\u2011to\u2011high risk for sites where the shortcode is used and where contributors are trusted but could be compromised."}}}}, "created": "2026-04-08T19:31:04.573401+00:00", "updated": "2026-04-08T19:43:36.435700+00:00", "vendors": ["lucascaro", "lucascaro$PRODUCT$wavr", "wordpress", "wordpress$PRODUCT$wordpress"]}