{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39667", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.671Z", "datePublished": "2026-04-08T08:30:38.379Z", "dateUpdated": "2026-04-08T08:30:38.379Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "korea-sns", "product": "Korea SNS", "vendor": "Jongmyoung Kim", "versions": [{"lessThanOrEqual": "1.7.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:42.655Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.<p>This issue affects Korea SNS: from n/a through <= 1.7.0.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:38.379Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/korea-sns/vulnerability/wordpress-korea-sns-plugin-1-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Korea SNS plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0."}], "id": "CVE-2026-39667", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:38.037", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/korea-sns/vulnerability/wordpress-korea-sns-plugin-1-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Korea SNS", "source": "cna", "vendor": "Jongmyoung Kim"}, "product": "korea_sns", "vendor": "jongmyoung_kim"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:00:52.093766+00:00", "value": {"mitigation_remediation": ["Upgrade the Korea SNS plugin to a version newer than 1.7.0, if available.", "If an update is not possible, disable the plugin or replace it with a verified alternative until a patch is released.", "Scour the site for any injected JavaScript and remove it manually.", "Configure web application firewall rules to block suspicious script injections in URLs or form inputs.", "Monitor access logs for anomalous activity that may indicate exploitation attempts."], "summary": {"action": "Patch", "impact": "DOM\u2011Based Cross\u2011Site Scripting (XSS) that can execute arbitrary JavaScript in a visitor\u2019s browser"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress Korea SNS plugin developed by Jongmyoung Kim. All installations running version 1.7.0 or earlier are impacted; newer releases are not listed as affected.", "description_and_impact": "The Korea SNS plugin improperly neutralizes user input during web page generation, allowing attackers to inject malicious scripts that execute in the context of a legitimate user\u2019s browser. This DOM\u2011based cross\u2011site scripting can enable credential theft, defacement, or the execution of further attacks via the compromised session. Users who visit affected pages may unknowingly expose themselves to these risks.", "risk_and_exploitability": "Because the exploitation path is client\u2011side and does not require elevated credentials, any visitor can trigger the malicious code by loading a crafted page. While no CVSS or EPSS scores are provided, the nature of XSS grants attackers the ability to subvert user sessions and deface content, representing a moderate to high risk. The vulnerability is not currently listed in the CISA KEV catalog, but the lack of available exploit probability data means the threat cannot be ruled out."}}}}, "created": "2026-04-08T19:28:06.211813+00:00", "updated": "2026-04-08T19:41:09.435840+00:00", "vendors": ["jongmyoung_kim", "jongmyoung_kim$PRODUCT$korea_sns", "wordpress", "wordpress$PRODUCT$wordpress"]}