{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/rpb/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-13042"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RPB Chessboard (\u003c= 8.1.2)"],"_cs_severities":["high"],"_cs_tags":["wordpress","xss","web-vulnerability"],"_cs_type":"advisory","_cs_vendors":["RPB"],"content_html":"\u003cp\u003eThe RPB Chessboard plugin for WordPress, in all versions up to and including 8.1.2, contains a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-13042. This flaw stems from inadequate input sanitization and output escaping within the plugin's comment content handling. Unauthenticated attackers can exploit this vulnerability by submitting specially crafted comments containing HTML tags and attributes (such as \u003ccode\u003e\u0026lt;a\u0026gt;\u003c/code\u003e elements with \u003ccode\u003etitle\u003c/code\u003e and \u003ccode\u003ehref\u003c/code\u003e) that are typically considered safe by WordPress's \u003ccode\u003ekses\u003c/code\u003e sanitization. The RPB Chessboard plugin's \u003ccode\u003ecomment_text\u003c/code\u003e filter then dynamically synthesizes dangerous, attribute-breaking HTML at render time, leading to the execution of arbitrary web scripts in a victim's browser when they view the compromised page. This allows for session hijacking, website defacement, or redirection to malicious sites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCrafting Malicious Comment\u003c/strong\u003e: An unauthenticated attacker crafts a comment containing specific HTML tags and attributes (e.g., an \u003ccode\u003e\u0026lt;a\u0026gt;\u003c/code\u003e element with \u003ccode\u003etitle\u003c/code\u003e and \u003ccode\u003ehref\u003c/code\u003e) that appear benign but are designed to be misinterpreted by the RPB Chessboard plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSubmission\u003c/strong\u003e: The attacker submits this crafted comment to a WordPress site using the vulnerable RPB Chessboard plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWordPress Sanitization Bypass\u003c/strong\u003e: WordPress's default \u003ccode\u003ekses\u003c/code\u003e sanitization process allows the comment through because it only contains permitted tags and attributes, not inherently recognized as malicious at this stage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Plugin Processing\u003c/strong\u003e: The RPB Chessboard plugin's \u003ccode\u003ecomment_text\u003c/code\u003e filter processes the stored comment content prior to rendering on a webpage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDynamic Payload Synthesis\u003c/strong\u003e: During the plugin's rendering process, the previously benign-looking HTML is synthesized into dangerous, attribute-breaking HTML, effectively injecting arbitrary web scripts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Access\u003c/strong\u003e: A legitimate user accesses a WordPress page or post that displays the attacker's crafted comment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution\u003c/strong\u003e: The injected arbitrary web scripts execute within the context of the victim user's browser, leading to client-side compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13042 allows unauthenticated attackers to execute arbitrary web scripts in the browser of any user viewing an affected WordPress page. This can lead to a range of client-side attacks, including but not limited to, session hijacking, defacement of the affected webpage, redirection of users to malicious phishing sites, or execution of malicious code in the context of the victim's browser. Organizations using the RPB Chessboard plugin are at risk, as attackers can compromise user accounts, collect sensitive information, or spread malware without direct interaction from the victim beyond simply viewing a comment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-13042\u003c/strong\u003e: Immediately update the RPB Chessboard plugin to a version beyond 8.1.2 or remove it if an update is not available, as this addresses the vulnerability described in CVE-2026-13042.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor WordPress Comment Submissions\u003c/strong\u003e: Deploy a Web Application Firewall (WAF) to inspect HTTP POST requests to WordPress comment endpoints for suspicious HTML structures or JavaScript-like content within comment fields, even if they use 'kses-allowed' tags.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEducate Users\u003c/strong\u003e: Inform WordPress users and administrators about the risks of Stored XSS and the importance of timely plugin updates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T05:18:54Z","date_published":"2026-07-16T05:18:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rpb-chessboard-xss/","summary":"The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping within its comment content functionality, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user views the affected page, bypassing WordPress's default kses sanitization.","title":"RPB Chessboard WordPress Plugin Vulnerable to Stored Cross-Site Scripting","url":"https://feed.craftedsignal.io/briefs/2026-07-rpb-chessboard-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - RPB","version":"https://jsonfeed.org/version/1.1"}