CVE-2026-6690

Name of the Vulnerable Software and Affected Versions LifePress versions prior to 2.2.3

Description The LifePress plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the wp ajax nopriv lp update mds function is registered without capability checks or nonce verification (a unique token used to prevent cross-site request forgery), and fails to properly sanitize input and escape output when rendering the series name in the admin settings page. Unauthenticated attackers can exploit this by sending arbitrary web scripts through the 'n' parameter of the 'lp update mds' AJAX action, which then execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 2.2.2. As a temporary workaround, restrict access to the 'lp update mds' AJAX action or the 'n' parameter until the update is applied.