Stored Cross-Site Scripting in WP Latest Posts Plugin by WordPress
CVE-2026-9620

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP Latest Posts
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-9620?

The WP Latest Posts plugin for WordPress allows for a Stored Cross-Site Scripting vulnerability due to inadequate output escaping. Authenticated attackers with author-level access can exploit this flaw by injecting malicious web scripts through manipulated image src attributes in post content. The vulnerability lies in the improper handling of the src attribute during the reconstruction of elements and CSS background-image declarations, which occurs without sufficient filtering. As a result, any user accessing a page with the injected script could unknowingly execute it, raising significant security risks.

Affected Version(s)

WP Latest Posts 0 <= 5.0.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-latest-post...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 26, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-9620 Data

JSON