{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-7613/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7613"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cost of Goods by PixelYourSite plugin for WordPress"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","CVE-2026-7613"],"_cs_type":"advisory","_cs_vendors":["PixelYourSite"],"content_html":"\u003cp\u003eCVE-2026-7613 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Cost of Goods by PixelYourSite plugin for WordPress. The vulnerability exists due to insufficient input sanitization and output escaping of the \u0026lsquo;csvdata[0][cost_of_goods_value]\u0026rsquo; parameter. Unauthenticated attackers can exploit this flaw to inject arbitrary web scripts into pages, which will then execute whenever a user accesses the affected page. The affected versions of the Cost of Goods by PixelYourSite plugin are up to and including 1.2.12. This vulnerability was reported by Wordfence on May 20, 2026. Successful exploitation could lead to account compromise, data theft, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP request targeting the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe request includes a payload containing a JavaScript injection within the \u003ccode\u003ecsvdata[0][cost_of_goods_value]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted POST request to a WordPress endpoint that processes the Cost of Goods plugin data.\u003c/li\u003e\n\u003cli\u003eThe Cost of Goods plugin fails to properly sanitize or escape the injected JavaScript within the \u003ccode\u003ecsvdata[0][cost_of_goods_value]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA user visits a page that displays the stored data from the Cost of Goods plugin.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is executed within the user\u0026rsquo;s browser, potentially performing actions such as stealing cookies or redirecting the user to a malicious website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability could allow an attacker to compromise WordPress administrator accounts, inject malicious content into the website, or redirect users to phishing sites. As an unauthenticated user can inject arbitrary scripts, the impact could be widespread if an administrator views the injected content. Compromise of the administrator account could lead to complete control over the WordPress website.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Cost of Goods by PixelYourSite plugin to a version greater than 1.2.12 to patch CVE-2026-7613.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-7613 Exploitation — Cost of Goods Plugin XSS\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding on all user-supplied data to prevent XSS vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress logs for suspicious activity related to the Cost of Goods plugin, such as unexpected modifications to plugin settings or data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T17:17:58Z","date_published":"2026-05-20T17:17:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-7613-wordpress-xss/","summary":"The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses an injected page.","title":"CVE-2026-7613: Cost of Goods by PixelYourSite WordPress Plugin Stored XSS","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-7613-wordpress-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-7613","version":"https://jsonfeed.org/version/1.1"}