{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hbook-plugin--2.1.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-8143"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HBook plugin (\u003c= 2.1.6)"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","plugin"],"_cs_type":"advisory","_cs_vendors":["Wordfence"],"content_html":"\u003cp\u003eThe HBook plugin for WordPress is susceptible to a stored Cross-Site Scripting (XSS) vulnerability affecting versions 2.1.6 and earlier. The vulnerability, identified as CVE-2026-8143, stems from insufficient input sanitization and output escaping of the \u0026lsquo;hb_country_iso\u0026rsquo;, \u0026lsquo;hb_usa_state_iso\u0026rsquo;, and \u0026lsquo;hb_canada_province_iso\u0026rsquo; parameters. An unauthenticated attacker can inject malicious JavaScript code into these parameters, which is then stored in the WordPress database. When an administrator accesses the affected page (the HBook Customers admin page), the stored XSS payload is executed within their browser, potentially leading to account takeover or further malicious actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP request targeting the HBook plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a JavaScript payload into the \u0026lsquo;hb_country_iso\u0026rsquo;, \u0026lsquo;hb_usa_state_iso\u0026rsquo;, or \u0026lsquo;hb_canada_province_iso\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe vulnerable HBook plugin fails to properly sanitize or escape the injected payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the WordPress administration panel and navigates to the HBook Customers admin page.\u003c/li\u003e\n\u003cli\u003eThe HBook plugin retrieves the stored data from the database, including the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe plugin renders the page, executing the injected JavaScript code in the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker can then potentially steal session cookies, perform actions on behalf of the administrator, or redirect the administrator to a malicious website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability (CVE-2026-8143) can lead to account compromise, where an attacker gains control of an administrator\u0026rsquo;s WordPress account. This access could then be leveraged to further compromise the WordPress website, install malicious plugins, modify content, or deface the site. The severity is amplified by the fact that no authentication is required to inject the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the HBook WordPress plugin to the latest version, which includes a fix for CVE-2026-8143.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect HBook WordPress Plugin Stored XSS Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding/escaping for all user-supplied data within WordPress plugins to prevent future XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T08:20:53Z","date_published":"2026-05-27T08:20:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hbook-xss/","summary":"The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters (CVE-2026-8143) in versions up to 2.1.6, potentially leading to arbitrary script execution in the administrator's browser.","title":"HBook WordPress Plugin Stored XSS Vulnerability (CVE-2026-8143)","url":"https://feed.craftedsignal.io/briefs/2026-05-hbook-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — HBook Plugin (\u003c= 2.1.6)","version":"https://jsonfeed.org/version/1.1"}