Cross-Site Scripting Vulnerability in WP Simple HTML Sitemap by Ashish Ajani
CVE-2026-39654

Currently unrated

Key Information:

Vendor: WordPress
Status: WP Simple Html Sitemap
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39654?

A vulnerability exists in the WP Simple HTML Sitemap plugin developed by Ashish Ajani, allowing for potential Cross-Site Scripting (XSS) attacks due to improper neutralization of input during web page generation. This weakness can be exploited by malicious actors to inject harmful scripts into web pages viewed by users, potentially compromising sensitive data or performing unwanted actions within the user's browser session. The affected versions are those prior to and including 3.8.

Affected Version(s)

WP Simple HTML Sitemap 0 <= 3.8

References

https://patchstack.com/database/Wordpress/Plugin/wp-simpl...

vdb-entry

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Jitlada | Patchstack Bug Bounty Program

CVE-2026-39654 Data

JSON

WordPress

What is CVE-2026-39654?

Affected Version(s)

References

Timeline

Credit