{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39517", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:03.414Z", "datePublished": "2026-04-08T08:30:15.367Z", "dateUpdated": "2026-04-08T08:30:15.367Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "blog-filter", "product": "Blog Filter", "vendor": "A WP Life", "versions": [{"changes": [{"at": "1.7.7", "status": "unaffected"}], "lessThanOrEqual": "1.7.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:02.201Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.<p>This issue affects Blog Filter: from n/a through <= 1.7.6.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:15.367Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Blog Filter plugin <= 1.7.6 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6."}], "id": "CVE-2026-39517", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:25.493", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T10:48:52.988403+00:00", "value": {"mitigation_remediation": ["Update the Blog Filter plugin to a version newer than 1.7.6", "If an update is unavailable, disable or remove the plugin", "Verify that no legacy instances of the plugin remain on production sites", "Check the vendor\u2019s website or WordPress plugin repository for ongoing security updates"], "summary": {"action": "Immediate Patch", "impact": "DOM-based Cross\u2011site Scripting"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the A WP Life Blog Filter, named Blog Filter, on all WordPress installations that use any version from the earliest release up to and including 1.7.6. All sites that have installed the plugin in these versions are at risk.", "description_and_impact": "The Blog Filter plugin for WordPress contains a DOM\u2011based cross\u2011site scripting flaw that arises from improper neutralization of user input during page generation. An attacker may be able to inject malicious JavaScript that executes in the browsers of visitors who load that page, potentially allowing manipulation of page content or execution of arbitrary scripts within the site's context.", "risk_and_exploitability": "No CVSS score is supplied in the CVE entry, and the EPSS score is not available. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating no known public exploitation at the time of disclosure. Based on the description, it is inferred that the attack requires a victim to interact with the exploited input (for example, visiting a crafted URL or submitting a malicious form field) for the script to execute. Because the flaw is DOM\u2011based, it can be triggered client\u2011side without needing special server configuration, suggesting a moderate to high likelihood of exploitation under suitable conditions."}}}}, "created": "2026-04-08T19:42:56.309910+00:00", "updated": "2026-04-08T19:42:56.309938+00:00", "vendors": []}