CVE-2026-9104

Name of the Vulnerable Software and Affected Versions Draft List plugin for WordPress versions prior to 2.6.4

Description Insufficient input sanitization and output escaping allow authenticated attackers with author-level access or higher to perform Stored Cross-Site Scripting. This occurs when arbitrary web scripts are injected into draft post titles using attribute-breakout techniques. These scripts execute when a user accesses the affected page, specifically when the viewing user does not have edit capabilities, impacting unauthenticated users and subscribers.

Recommendations Update the plugin to a version later than 2.6.3.