Stored Cross-Site Scripting in Stock Ticker Plugin for WordPress
CVE-2026-2722

4.8MEDIUM

Key Information:

Vendor

WordPress
Status
Stock Ticker
Vendor
CVE Published:
7 March 2026

What is CVE-2026-2722?

The Stock Ticker plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability due to inadequate input validation and output encoding within admin settings. This issue affects all versions up to and including 3.26.1, especially in multi-site environments or when the unfiltered_html feature is disabled. Authenticated users with administrative privileges can exploit this flaw to inject and execute arbitrary scripts in pages viewed by other users, potentially compromising site integrity and user information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Stock Ticker * <= 3.26.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/stock-ticker/t...
https://plugins.trac.wordpress.org/browser/stock-ticker/t...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yoschanin Pulsirivong
Ronnachai Sretawat Na Ayutaya
Ronnachai Chaipha
JSON
.