CVE-2026-10513
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
The Webmention plugin for WordPress up to version 5.8.0 is vulnerable to Stored Cross-Site Scripting via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template.
Risk Assessment
An unauthenticated attacker can inject arbitrary scripts that execute when a moderator or administrator opens the affected comment edit screen, potentially leading to session theft, defacement, or privilege escalation.
Recommendation
Immediately update the Webmention plugin to the latest patched version. If an update is not possible, temporarily disable the webmention REST endpoint or restrict access to it.
Original NVD description (English source)
The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template without esc_attr() or esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a privileged user (moderator or administrator) opens the affected comment edit screen.

