Stored Cross-Site Scripting Vulnerability in Private WP Suite Plugin for WordPress
CVE-2026-2719

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Private WP Suite
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-2719?

The Private WP Suite plugin for WordPress is susceptible to a stored cross-site scripting vulnerability that allows authenticated users with Administrator-level access to inject and execute arbitrary web scripts. This vulnerability arises from inadequate input sanitization and output escaping within the 'Exceptions' setting. The risk is particularly pronounced in multi-site installations and those where unfiltered_html functionality is disabled, resulting in potential exploitation whenever a user interacts with an affected page.

Affected Version(s)

Private WP suite 0 <= 0.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/private-wp-sui...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-2719 Data

JSON