Stored Cross-Site Scripting in Ultimate Post Plugin for WordPress
CVE-2026-13253
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-13253?
The Ultimate Post plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability caused by insufficient input sanitization in the 'moreResultsText' block attribute. Specifically, the render callback for the Advanced_Search block fails to properly escape HTML special characters, allowing authenticated users with contributor-level access to inject malicious scripts. When users access a compromised page, these scripts will execute, potentially leading to data theft or further exploitation.
Affected Version(s)
Post Grid Gutenberg Blocks β PostX 0 <= 5.0.31