How is CVE-2026-48876 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation. Authentication (not-required): No account or session credentials are needed; the vulnerability is exploitable by any unauthenticated external party. Victim interaction (required): A victim must perform an action, such as clicking a crafted link or visiting a malicious page, for the injected script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors beyond delivering the payload to the victim.

What is the impact of CVE-2026-48876?

Reads session cookies and authentication tokens from the victim's browser, enabling account hijacking. Modifies the content of the page rendered in the victim's browser, allowing phishing overlays or credential-harvesting forms to be injected. Redirects the victim's browser to an attacker-controlled site. Degrades the victim's browsing session by injecting disruptive or misleading UI elements (partial availability impact within the browser context).

Back to search

HIGHCVE-2026-48876Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48876: WordPress Stop Spammers plugin <= 2026.3 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-48876?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Stop Spammers WordPress plugin, versions 2026.3 and earlier. The vulnerability is reachable over the network and requires no authentication, but a victim must take an action (such as clicking a crafted link) for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, or redirection to malicious sites. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-48876 patched?

No fix version has been published by the vendor as of the CVE publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Stop Spammers WordPress plugin, versions 2026.3 and earlier. The vulnerability is reachable over the network and requires no authentication, but a victim must take an action (such as clicking a crafted link) for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, or redirection to malicious sites. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-48876 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built images that bundle the Stop Spammers plugin. Scan results surface in the HarborGuard dashboard and pipeline gates without requiring manual configuration.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector and weights findings against each customer environment's compliance policy to determine breach-of-threshold status. Findings are routed to the appropriate team inbox within the customer org based on policy and ownership mapping.

Available

Patch

No fix version has been published by the vendor as of the CVE publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
AuthenticationNot required
No account or session credentials are needed; the vulnerability is exploitable by any unauthenticated external party.
Victim interactionRequired
A victim must perform an action, such as clicking a crafted link or visiting a malicious page, for the injected script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors beyond delivering the payload to the victim.

Blast Radius

Reads session cookies and authentication tokens from the victim's browser, enabling account hijacking.
Modifies the content of the page rendered in the victim's browser, allowing phishing overlays or credential-harvesting forms to be injected.
Redirects the victim's browser to an attacker-controlled site.
Degrades the victim's browsing session by injecting disruptive or misleading UI elements (partial availability impact within the browser context).

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Patchstack advisory for CVE-2026-48876 across all scanned environments that include the Stop Spammers plugin at version 2026.3 or earlier. Because no upstream fix exists yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor publishes a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will trigger automatically at that point. In the interim, compensating controls worth evaluating include network-policy rules that restrict access to the WordPress admin surface, web application firewall rules targeting XSS payloads on affected routes, and disabling the Stop Spammers plugin where its functionality is not strictly required.

See how HarborGuard automates this

Affected packages

Web Guy / Stop Spammers
≤ 2026.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified