{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39517", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:03.414Z", "datePublished": "2026-04-08T08:30:15.367Z", "dateUpdated": "2026-04-10T17:58:22.841Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "blog-filter", "product": "Blog Filter", "vendor": "A WP Life", "versions": [{"changes": [{"at": "1.7.7", "status": "unaffected"}], "lessThanOrEqual": "1.7.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:02.201Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.<p>This issue affects Blog Filter: from n/a through <= 1.7.6.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:15.367Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Blog Filter plugin <= 1.7.6 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T17:58:18.465496Z", "id": "CVE-2026-39517", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:58:22.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T17:58:18.465496Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:58:07.728Z"}}], "cna": {"title": "WordPress Blog Filter plugin <= 1.7.6 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "affected": [{"vendor": "A WP Life", "product": "Blog Filter", "versions": [{"status": "affected", "changes": [{"at": "1.7.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.6"}], "packageName": "blog-filter", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:29:02.201Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.<p>This issue affects Blog Filter: from n/a through <= 1.7.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:15.367Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39517", "state": "PUBLISHED", "dateUpdated": "2026-04-10T17:58:22.841Z", "dateReserved": "2026-04-07T10:48:03.414Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:15.367Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6."}], "id": "CVE-2026-39517", "lastModified": "2026-04-10T18:16:44.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:25.493", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7.6]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "Blog Filter", "source": "cna", "vendor": "A WP Life"}, "product": "blog_filter", "vendor": "awplife"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T19:38:40.744831+00:00", "value": {"mitigation_remediation": ["Upgrade the Blog Filter plugin to the latest available version (any release newer than 1.7.6).", "Verify that the updated plugin no longer reflects injected scripts by testing common XSS vectors before restoring production traffic."], "summary": {"action": "Immediate Patch", "impact": "DOM\u2011Based Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the A WP Life Blog Filter product, known by its vendor name A WP Life: Blog Filter. Versions from the initial release up to and including 1.7.6 are impacted. No other specific version ranges are given, and the plugin is publicly available on WordPress.org.", "description_and_impact": "Improper neutralization of user input during page generation in the Blog Filter plugin permits a DOM\u2011based cross\u2011site scripting attack. This type of vulnerability (CWE\u201179) allows an attacker to inject and execute arbitrary JavaScript in the context of a victim\u2019s browser, which can lead to session hijacking, defacement, or the insertion of malicious content. The vulnerability exists because the plugin fails to sanitize or encode input before it is used in the generated web page. The potential impact is confined to the web application\u2019s client\u2011side code and can affect all users who visit pages affected by the plugin.", "risk_and_exploitability": "The CVSS score for this vulnerability is 6.5, indicating moderate severity, and the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be client\u2011side, requiring an attacker to supply malicious input through the plugin\u2019s interface or exposed parameters. Because the flaw is DOM\u2011based, it can be triggered by loading a crafted URL or by submitting untrusted data via the plugin\u2019s filtering mechanism. The impact is limited to users who interact with pages rendered by the affected plugin and does not grant the attacker direct server\u2011side control."}}}}, "created": "2026-04-08T19:42:56.309910+00:00", "updated": "2026-04-13T14:25:29.140244+00:00", "vendors": ["awplife", "awplife$PRODUCT$blog_filter", "wordpress", "wordpress$PRODUCT$wordpress"]}