Reflected Cross-Site Scripting Vulnerability in List Site Contributors Plugin for WordPress
CVE-2026-0594

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: List Site Contributors
Vendor: CVE Published:; 14 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-0594?

The List Site Contributors plugin for WordPress is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability through the 'alpha' parameter. This issue arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject malicious scripts into pages. If a user is tricked into clicking a manipulated link, the injected script can execute in their browser, potentially compromising personal information and user security.

Affected Version(s)

List Site Contributors * <= 1.1.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-0594-ListSiteContributors-Plugin-Exploit
Created by m4sh-wacker

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/list-site-cont...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Jan 23, 2026
👾
Exploit known to exist
Jan 23, 2026
Vulnerability published
Jan 14, 2026
Vulnerability Reserved
Jan 4, 2026

Credit

Bhumividh Treloges

JSON