{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2434", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T22:01:50.881Z", "datePublished": "2026-04-17T22:27:13.525Z", "dateUpdated": "2026-04-17T22:27:13.525Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T22:27:13.525Z"}, "affected": [{"vendor": "poporon", "product": "Pz-LinkCard", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.8.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/687ffac2-1f07-4adb-ba12-5f2ea357ea7e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pz-linkcard/tags/2.5.8/pz-linkcard.php#L442"}, {"url": "https://plugins.trac.wordpress.org/browser/pz-linkcard/tags/2.5.8/pz-linkcard.php#L636"}, {"url": "https://plugins.trac.wordpress.org/browser/pz-linkcard/trunk/pz-linkcard.php#L636"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-17T09:44:19.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2434", "lastModified": "2026-04-17T23:16:12.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T23:16:12.167", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pz-linkcard/tags/2.5.8/pz-linkcard.php#L442"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pz-linkcard/tags/2.5.8/pz-linkcard.php#L636"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pz-linkcard/trunk/pz-linkcard.php#L636"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/687ffac2-1f07-4adb-ba12-5f2ea357ea7e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:52:06.739697+00:00", "value": {"mitigation_remediation": ["Update the Pz\u2011LinkCard plugin to the latest available release that corrects input validation and output escaping for the 'blogcard' shortcode.", "If an update is not possible immediately, remove or delete any existing posts or pages that use the 'blogcard' shortcode with potentially malicious attributes, or disable the shortcode entirely.", "Deploy a site\u2011wide output escaping strategy or use a security plugin that blocks stored XSS, and audit existing content for leftover scripts."], "summary": {"action": "Apply Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Pz\u2011LinkCard plugin, poporon:Pz\u2011LinkCard, in any version up to and including 2.5.8.1. The vulnerability exists in all releases prior to that version and affects any site that deploys the shortcode. Exact affected releases include all WordPress installations using 2.5.8.1 or earlier.", "description_and_impact": "The Pz\u2011LinkCard plugin for WordPress allows authenticated users with Contributor-level access or higher to store malicious scripts in the 'blogcard' shortcode attributes. Because the plugin fails to properly sanitise or escape these attributes before rendering, the injected scripts are persisted in the database and executed automatically whenever a user loads a page that contains the shortcode, leading to cross\u2011site scripting that can compromise user sessions or deface content. This weakness aligns with CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate risk level. EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must be authenticated with Contributor or higher privileges, so public exploitation requires initial compromise or an existing account. Nonetheless, the stored nature of the flaw means that once an attacker injects code, it will continue to affect every visitor to the affected page until the content is removed or the plugin is updated. Therefore, sites using the vulnerable version should treat this as a priority fix."}}}}, "created": "2026-04-18T09:00:05.895696+00:00", "updated": "2026-04-18T09:00:05.895708+00:00", "vendors": []}