How is CVE-2026-48871 exploited?

Network reachability (required): The attacker must reach the vulnerable WordPress site over the network; the plugin's XSS endpoint is exposed via standard HTTP/HTTPS traffic. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated network user. Victim interaction (required): A victim must click a crafted link or visit a malicious page that triggers the XSS payload in their browser session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors to succeed.

What is the impact of CVE-2026-48871?

Reads the victim's active session cookies or authentication tokens, enabling account takeover without needing the victim's password. Injects and executes arbitrary JavaScript in the victim's browser within the WordPress site's origin, allowing modification of visible page content. Exfiltrates form input data or other page content entered by the victim to an attacker-controlled server. Causes limited disruption to the victim's browsing session on the affected site, consistent with the CVSS availability impact rating of Low.

Back to search

HIGHCVE-2026-48871Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48871: WordPress MW WP Form plugin <= 5.1.3 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-48871?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the MW WP Form WordPress plugin, versions 5.1.3 and earlier, developed by Takashi Kitajima. The flaw is reachable over the network with no authentication required, but a victim must interact with a malicious link or page for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and limited availability impact. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

Q: Is CVE-2026-48871 patched?

Because no upstream fix version has been published for MW WP Form, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention.

Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the MW WP Form WordPress plugin, versions 5.1.3 and earlier, developed by Takashi Kitajima. The flaw is reachable over the network with no authentication required, but a victim must interact with a malicious link or page for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and limited availability impact. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-48871 is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the MW WP Form plugin.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to adjust priority; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for MW WP Form, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable WordPress site over the network; the plugin's XSS endpoint is exposed via standard HTTP/HTTPS traffic.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated network user.
Victim interactionRequired
A victim must click a crafted link or visit a malicious page that triggers the XSS payload in their browser session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors to succeed.

Blast Radius

Reads the victim's active session cookies or authentication tokens, enabling account takeover without needing the victim's password.
Injects and executes arbitrary JavaScript in the victim's browser within the WordPress site's origin, allowing modification of visible page content.
Exfiltrates form input data or other page content entered by the victim to an attacker-controlled server.
Causes limited disruption to the victim's browsing session on the affected site, consistent with the CVSS availability impact rating of Low.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against customer images that include the MW WP Form plugin at version 5.1.3 or earlier. Because no upstream patch exists at this time, HarborGuard recommends compensating controls for affected deployments: apply network-policy rules to restrict unexpected outbound requests from the WordPress container (limiting exfiltration), consider a web application firewall rule to block requests containing unsanitized script payloads targeting the affected form endpoints, and evaluate disabling the plugin in environments where it is not strictly required. HarborGuard will re-check the Patchstack advisory on every ingest cycle and, for customers with auto-remediation enabled, a patched-image rebuild, regression test run, and PR against affected workloads will be initiated automatically as soon as a fix version is published upstream.

See how HarborGuard automates this

Affected packages

Takashi Kitajima / MW WP Form
≤ 5.1.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified