External risk intelligence

WordPress plugin lets attackers run code on your site

CVE advisorySeverity: MEDIUM (CVSS 6.4)

CVE-2026-9104

An external attacker with WordPress author access can inject scripts into draft post titles, which run when others view the page, potentially stealing session cookies or redirecting users to phishing sites. This can lead to unauthorized access to user accounts.

3Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-9104

The vulnerability exists within a WordPress plugin, which is part of an internet-facing web application. While the application itself is commonly exposed to the public internet, the specific requirement for author-level authentication to inject the payload makes it less likely to be exposed to, or exploitable by, a broad public audience compared to unauthenticated endpoints.

Horizon Alert

Summary of the vulnerability and why it matters

The Draft List plugin for WordPress has a vulnerability that could allow an attacker to inject malicious scripts. This means that if a user visits a page with an injected script, that script could automatically run in their browser, potentially exposing sensitive information or performing unwanted actions.

Allows script injection via draft post titles.
Affects users who view affected pages.
Attack requires existing author-level access.

Attack Path

How an attacker could exploit the issue

An attacker with author-level access or higher in WordPress can exploit this by injecting malicious scripts into draft post titles. When a user without edit capabilities views a page displaying these draft titles, the scripts will execute. This can lead to arbitrary script execution for other users.

Authenticated access required.
Target: Draft post titles.
Payload executes for lower-privileged users.

Live Threat

Current exploitation, exposure, and threat context

This stored cross-site scripting vulnerability in the Draft List plugin for WordPress allows authenticated attackers with author-level access to inject malicious scripts. While the vulnerability requires authentication, it could be weaponized by attackers targeting specific WordPress sites. The exploit path specifically targets users lacking edit capabilities, potentially enabling execution for unauthenticated users and subscribers.

No observed KEV listing.
Public exploit code is not yet widely available.
Plugin is deferred, limiting immediate threat.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and blocking traffic that attempts to exploit the Draft List plugin's stored XSS vulnerability, particularly targeting draft post titles. Review logs for signs of script injection attempts or successful execution by author-level users or above.

Block or filter requests containing script tags or malicious payloads.
Monitor for new draft posts with suspicious titles.
Update the Draft List plugin to a patched version when available.

Frequently asked questions

What is the Draft List plugin and its function in WordPress?

The Draft List plugin for WordPress is used to manage and display unpublished posts, or drafts. It allows users to showcase these drafts on their website through shortcodes or widgets. This feature can be beneficial for SEO purposes or to give visitors a preview of upcoming content.

What vulnerability does CVE-2026-9104 represent?

CVE-2026-9104 is a Stored Cross-Site Scripting (XSS) vulnerability, categorized as CWE-79. This occurs when a web application stores user input without proper security and then displays it without sanitization, enabling attackers to inject malicious scripts that run in other users' browsers.

How can an attacker exploit the Draft List plugin vulnerability?

An attacker with author-level access can inject malicious scripts into draft post titles. These scripts execute when a user without edit capabilities views a page that displays these drafts. The vulnerability allows for arbitrary script execution on pages viewed by unauthenticated users and subscribers.

What is the relevance of CVE-2026-9104 based on Halo Surface Signal?

Halo classifies this CVE as 'Possible' risk. The vulnerability is in a WordPress plugin, which is often internet-facing. However, the need for author-level authentication to inject the payload makes broad exploitation less likely than for unauthenticated vulnerabilities.

What actions should be taken regarding the Draft List plugin vulnerability?

It is recommended to identify and block traffic attempting to exploit this stored XSS vulnerability, especially targeting draft post titles. Monitoring logs for script injection attempts is advised. Updating the Draft List plugin to a patched version as soon as it becomes available is the primary remediation.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.