Platform
wordpress
Component
pz-linkcard
Fixed in
2.5.9
CVE-2026-2434 represents a Stored Cross-Site Scripting (XSS) vulnerability discovered within the Pz-LinkCard plugin for WordPress. This flaw allows authenticated attackers, specifically those with Contributor-level access or higher, to inject arbitrary web scripts. The vulnerability affects versions of the plugin up to and including 2.5.8.1, and exploitation could lead to the execution of malicious code when users access affected pages. No official patch is currently available.
CVE-2026-2434 affects the Pz-LinkCard plugin for WordPress, enabling a stored Cross-Site Scripting (XSS) vulnerability. This means an authenticated attacker with Contributor-level access or higher can inject malicious JavaScript code into WordPress pages. When other users visit these pages, the script executes in their browsers, potentially allowing the attacker to steal cookies, redirect to malicious websites, or perform other actions on behalf of the user. The root cause of this vulnerability is insufficient sanitization of inputs within the 'blogcard' shortcode attribute. The impact severity is rated 6.4 on the CVSS, indicating a moderate to high risk. Updating the plugin is crucial to mitigate this risk.
An attacker with Contributor or higher access on a WordPress site using the Pz-LinkCard plugin can exploit this vulnerability. The attacker can inject malicious JavaScript code into the 'blogcard' attribute of the shortcode. This code will be stored in the database and executed every time a user visits the page containing the shortcode. Exploitation requires authenticated access, but does not need administrator privileges. The success of exploitation depends on the attacker's ability to modify WordPress page content and the users' trust in the website.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The solution for CVE-2026-2434 is to update the Pz-LinkCard plugin to version 2.5.9 or higher. This version includes the necessary fixes to prevent the injection of malicious scripts. Additionally, it is recommended to review all pages using the 'blogcard' shortcode in versions prior to 2.5.9 to check for any injected code. If injections are found, it is important to remove them and apply the plugin update. As a preventative measure, consider implementing a Content Security Policy (CSP) on the website to limit the sources of scripts that can be executed, reducing the potential impact of future XSS attacks.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the browsers of users visiting the website.
Updating the Pz-LinkCard plugin to version 2.5.9 or higher fixes the vulnerability and prevents the injection of malicious scripts.
If you suspect your site has been compromised, immediately change all user passwords, review page content for malicious code, and consider restoring a clean backup of the site.
Implement a Content Security Policy (CSP), use a Web Application Firewall (WAF), and keep all your plugins and themes updated.
In WordPress, a user with the 'Contributor' role has limited permissions to publish and edit content, but can still pose a risk in this case due to their ability to modify pages.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.