{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3142", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T19:11:07.764Z", "datePublished": "2026-04-08T06:43:39.812Z", "dateUpdated": "2026-04-08T17:02:45.964Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:45.964Z"}, "affected": [{"vendor": "uniquecodergmailcom", "product": "Pinterest Site Verification plugin using Meta Tag", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Pinterest Site Verification plugin using Meta Tag <= 1.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'post_var'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4bdd-9627-0e38c0ee5e8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSiteVerification.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L132"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L214"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-04-07T17:37:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T13:54:30.533499Z", "id": "CVE-2026-3142", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:54:37.898Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T13:54:30.533499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:54:33.930Z"}}], "cna": {"title": "Pinterest Site Verification plugin using Meta Tag <= 1.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'post_var'", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "uniquecodergmailcom", "product": "Pinterest Site Verification plugin using Meta Tag", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-07T17:37:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4bdd-9627-0e38c0ee5e8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSiteVerification.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L132"}, {"url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L214"}], "descriptions": [{"lang": "en", "value": "The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T06:43:39.812Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3142", "state": "PUBLISHED", "dateUpdated": "2026-04-08T13:54:37.898Z", "dateReserved": "2026-02-24T19:11:07.764Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:39.812Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-3142", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:20.870", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L132"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L160"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L172"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L214"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSiteVerification.php#L160"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4bdd-9627-0e38c0ee5e8a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Pinterest Site Verification plugin using Meta Tag", "source": "cna", "vendor": "uniquecodergmailcom"}, "product": "pinterest_site_verification_plugin_using_meta_tag", "vendor": "uniquecodergmailcom"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:23:32.217252+00:00", "value": {"mitigation_remediation": ["Update the Pinterest Site Verification plugin to the latest release that removes the stored XSS flaw.", "If updating is not immediately possible, temporarily deactivate or uninstall the plugin until a patch is available.", "Deploy a web\u2011application firewall or content\u2011security policy to block injected scripts from executing on the site.", "Review user capabilities to ensure subscriber accounts cannot perform privileged actions in the plugin."], "summary": {"action": "Patch immediately", "impact": "Stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Pinterest Site Verification plugin (Meta Tag version 1.8 or earlier). The issue is confined to the plugin\u2019s code and does not affect core WordPress or other plugins.", "description_and_impact": "The Pinterest Site Verification plugin for WordPress contains a stored cross\u2011site scripting flaw caused by inadequate sanitization of the 'post_var' parameter in versions up to 1.8. Authenticated users with subscriber\u2011level rights may inject arbitrary JavaScript into the plugin\u2019s settings, which is then rendered in web pages and executed by anyone who views an affected page. This vulnerability allows an attacker to execute arbitrary code in the context of site visitors, potentially exposing sensitive data, hijacking sessions, or defacing the site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity, and the attack requires the attacker to have a subscriber\u2011level account on the target site. While the vulnerability is not exploitable by unauthenticated users, the potential impact of XSS is significant because it allows script execution across the site. No EPSS score or KEV listing is available, but the condition for exploitation is clear: an authenticated subscriber+ user must modify the plugin\u2019s settings."}}}}, "created": "2026-04-08T19:31:09.843165+00:00", "updated": "2026-04-08T19:43:43.424254+00:00", "vendors": ["uniquecodergmailcom", "uniquecodergmailcom$PRODUCT$pinterest_site_verification_plugin_using_meta_tag", "wordpress", "wordpress$PRODUCT$wordpress"]}