Cross-site Scripting Vulnerability in WPComplete by Nexcess
CVE-2026-42750

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WPcomplete
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42750?

The WPComplete plugin by Nexcess is susceptible to a Cross-site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This vulnerability allows attackers to execute arbitrary JavaScript in the context of the affected users' browsers, potentially leading to session hijacking, data manipulation, and unauthorized actions on behalf of users. Affected versions include those up to and including 2.9.5.4, posing a risk to installations that do not apply timely updates.

Affected Version(s)

WPComplete 0 <= 2.9.5.4

References

https://patchstack.com/database/Wordpress/Plugin/wpcomple...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

hhhai | Patchstack Bug Bounty Program

CVE-2026-42750 Data

JSON