{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4267/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4267"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","reflected-xss","cve-2026-4267"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Query Monitor plugin for WordPress, a developer tool panel, is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. Identified as CVE-2026-4267, this flaw exists in all versions up to and including 3.20.3. The vulnerability arises from the plugin\u0026rsquo;s failure to adequately sanitize input and escape output related to the \u003ccode\u003e$_SERVER['REQUEST_URI']\u003c/code\u003e parameter. An unauthenticated attacker can exploit this by injecting malicious web scripts into pages, posing a threat to users who…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:31Z","date_published":"2026-03-31T12:16:31Z","id":"/briefs/2024-01-query-monitor-xss/","summary":"The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"Query Monitor WordPress Plugin Vulnerable to Reflected XSS (CVE-2026-4267)","url":"https://feed.craftedsignal.io/briefs/2024-01-query-monitor-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4267","version":"https://jsonfeed.org/version/1.1"}