PT-2026-20641 · WordPress · Xmlrpc Attacks Blocker
Nabil Irawan
·
Published
2026-02-19
·
Updated
2026-02-23
·
CVE-2026-2502
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
xmlrpc attacks blocker plugin for WordPress versions prior to 1.1
Description
The xmlrpc attacks blocker plugin for WordPress is susceptible to Stored Cross-Site Scripting. This occurs due to the plugin trusting and logging attacker-controlled data from the
X-Forwarded-For HTTP header, and then rendering debug log entries without proper output escaping. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.Recommendations
Update the xmlrpc attacks blocker plugin to version 1.1 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xmlrpc Attacks Blocker