Cyber Resilience

CVE-2026-1216

High

Published: 17 February 2026

Published
17 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0017 38.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1216 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-1216 is a reflected cross-site scripting (XSS) vulnerability in the RSS Aggregator plugin for WordPress, affecting all versions up to and including 5.0.10. The flaw stems from insufficient input sanitization and output escaping of the user-supplied 'template' parameter, enabling arbitrary web script injection. It is classified under CWE-79 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges by crafting malicious requests targeting the 'template' parameter. Successful exploitation requires tricking a user into performing an action, such as clicking a specially crafted link, which injects and executes arbitrary scripts in the victim's browser context, potentially leading to session hijacking, data theft, or further site compromise given the changed scope (S:C).

Mitigation details are available in advisories from Wordfence and WordPress plugin trac repositories, including code changes in DisplaysStore.php at line 106 and a patch via changeset 3439384 in the trunk repository, recommending immediate updates beyond version 5.0.10.

EU & UK References

Vulnerability details

The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible…

more

for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables exploitation of web apps (T1190) and supports drive-by script execution via malicious links (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13329Shared CWE-79
CVE-2025-13002Shared CWE-79
CVE-2025-27500Shared CWE-79
CVE-2026-1931Shared CWE-79
CVE-2025-28917Shared CWE-79
CVE-2025-59057Shared CWE-79
CVE-2024-56267Shared CWE-79
CVE-2025-69318Shared CWE-79
CVE-2025-23839Shared CWE-79
CVE-2025-23994Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the 'template' parameter to reject or sanitize malicious script input before processing.

prevent

Requires filtering/encoding of output containing the unsanitized 'template' value so injected scripts are not executed in the browser.

preventdetect

Can block or alert on malicious script code delivered via the reflected XSS vector in web responses.

References