Stored Cross-Site Scripting Vulnerability in Webmention Plugin for WordPress
CVE-2026-10513

7.2HIGH

Key Information:

Vendor: WordPress
Status: Webmention
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-10513?

The Webmention plugin for WordPress contains a vulnerability that allows Stored Cross-Site Scripting due to inadequate input sanitization and output escaping of user-supplied metadata. This issue arises when the plugin processes MF2 author properties through an unauthenticated webmention REST endpoint. The rendered output can lead to the injection of arbitrary web scripts into comment editing screens, posing a significant risk whenever a privileged user accesses the affected interface. Proper precautions must be taken to mitigate the risk of unauthorized script execution.

Affected Version(s)

Webmention 0 <= 5.8.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/webmention/tag...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

Volodymyr Kolesnykov

CVE-2026-10513 Data

JSON