Lifepress — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/lifepress/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 09:17:38 +0000CVE-2026-6690: LifePress WordPress Plugin Stored XSS Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6690-lifepress-xss/Tue, 12 May 2026 09:17:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6690-lifepress-xss/The LifePress plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping within the `lp_update_mds` AJAX action, allowing unauthenticated attackers to inject arbitrary web scripts via the 'n' parameter that execute when a user accesses the injected page; this affects versions up to and including 2.2.2.The LifePress plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that affects versions up to and including 2.2.2. The vulnerability resides in the lp_update_mds AJAX action, specifically the ’n’ parameter. The wp_ajax_nopriv_lp_update_mds action lacks both nonce verification and capability checks. Furthermore, the plugin exhibits insufficient input sanitization and output escaping when rendering the series name on the admin settings page. This allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will then execute whenever a user accesses a page where the injected content is displayed. This can lead to account compromise, data theft, or other malicious activities.

Attack Chain

  1. An unauthenticated attacker crafts a malicious HTTP request targeting the wp-admin/admin-ajax.php endpoint.
  2. The attacker sets the action parameter to lp_update_mds within the HTTP request.
  3. The attacker includes a crafted payload within the ’n’ parameter of the request, containing the malicious XSS script.
  4. The server-side code, specifically the wp_ajax_nopriv_lp_update_mds function, processes the request without proper sanitization of the ’n’ parameter.
  5. The unsanitized input from the ’n’ parameter is stored in the WordPress database.
  6. An administrator or other authorized user accesses an admin settings page where the stored series name is displayed.
  7. The malicious XSS payload is rendered in the user’s browser due to the lack of output escaping.
  8. The injected script executes within the user’s browser session, potentially stealing cookies, redirecting the user, or performing other malicious actions.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to inject malicious JavaScript code into the WordPress site. This code can then be executed in the browsers of administrators or other users who access affected pages. This can lead to account compromise, defacement of the website, or redirection of users to phishing sites. Given the lack of authentication required to trigger this, a large number of WordPress sites using the LifePress plugin are potentially vulnerable.

Recommendation

  • Deploy the Sigma rule “Detect CVE-2026-6690 Exploitation Attempt via lp_update_mds AJAX Action” to identify potential exploitation attempts targeting the vulnerable endpoint.
  • Inspect web server logs for POST requests to wp-admin/admin-ajax.php with the action parameter set to lp_update_mds and containing suspicious characters in the n parameter.
  • Apply the available patch for the LifePress plugin, upgrading to a version greater than 2.2.2 to remediate CVE-2026-6690.
]]>mediumadvisorywordpressxsscve-2026-6690lifepressstored-xssplugin