Cyber Posture

CVE-2026-2834

High

Published: 15 April 2026

Published
15 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0003 7.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2834 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the insufficient input sanitization of the 'description' parameter that enables stored XSS injection in the WordPress plugin.

SI-15 Information Output Filtering good match
prevent

Mitigates the lack of output escaping by filtering injected scripts before they execute in users' browsers on affected pages.

SI-2 Flaw Remediation good match
preventrecover

Ensures timely remediation of the known flaw in the plugin versions up to 3.32.3 through patching or removal to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1056.001 Keylogging Collection
Adversaries may log user keystrokes to intercept credentials as the user types them.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Stored XSS in public-facing WordPress plugin enables remote unauthenticated exploitation (T1190) and directly facilitates browser-based credential theft via keylogging (T1056.001), session hijacking (T1185), and web cookie theft (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This…

more

makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Deeper analysisAI

CVE-2026-2834 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Age Verification & Identity Verification by Token of Trust plugin for WordPress in all versions up to and including 3.32.3. The flaw stems from insufficient input sanitization and output escaping of the 'description' parameter, allowing arbitrary web scripts to be injected into pages. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By submitting malicious payloads via the 'description' parameter, they can store scripts on affected WordPress sites, which then execute in the context of any user's browser upon accessing the injected page. This enables potential theft of session cookies, keystroke logging, or phishing attacks against site visitors, including administrators, with impacts on confidentiality and integrity.

Advisories and references, including a Wordfence threat intelligence report and code excerpts from the plugin's Trac repository (e.g., error-log.php and view-logs.php in version 3.31.4), highlight the vulnerable code paths but do not specify patch details in the provided information. Security practitioners should review these sources for mitigation guidance, such as updating to a patched version beyond 3.32.3.

Details

CWE(s)
CWE-79

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-23786Shared CWE-79
CVE-2026-28683Shared CWE-79
CVE-2026-2568Shared CWE-79
CVE-2025-0817Shared CWE-79
CVE-2026-24665Shared CWE-79
CVE-2026-32728Shared CWE-79
CVE-2026-2072Shared CWE-79
CVE-2024-55227Shared CWE-79
CVE-2025-25062Shared CWE-79
CVE-2024-51700Shared CWE-79

References