{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2427", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T20:45:42.734Z", "datePublished": "2026-03-21T03:26:57.391Z", "dateUpdated": "2026-03-23T17:07:26.858Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:57.391Z"}, "affected": [{"vendor": "kazunii", "product": "itsukaita", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "0.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link."}], "title": "itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0010ee3-1016-479f-ae60-5d5900862489?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/itsukaita/trunk/itsukaita.php#L55"}, {"url": "https://plugins.trac.wordpress.org/browser/itsukaita/tags/0.1.2/itsukaita.php#L55"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "san6051"}], "timeline": [{"time": "2026-03-20T15:16:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:07:14.999007Z", "id": "CVE-2026-2427", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:07:26.858Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2427", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:07:14.999007Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:07:22.455Z"}}], "cna": {"title": "itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "san6051"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "kazunii", "product": "itsukaita", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:16:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0010ee3-1016-479f-ae60-5d5900862489?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/itsukaita/trunk/itsukaita.php#L55"}, {"url": "https://plugins.trac.wordpress.org/browser/itsukaita/tags/0.1.2/itsukaita.php#L55"}], "descriptions": [{"lang": "en", "value": "The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:57.391Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2427", "state": "PUBLISHED", "dateUpdated": "2026-03-23T17:07:26.858Z", "dateReserved": "2026-02-12T20:45:42.734Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:57.391Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link."}], "id": "CVE-2026-2427", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T04:17:01.217", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itsukaita/tags/0.1.2/itsukaita.php#L55"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itsukaita/trunk/itsukaita.php#L55"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0010ee3-1016-479f-ae60-5d5900862489?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "itsukaita", "source": "cna", "vendor": "kazunii"}, "product": "itsukaita", "vendor": "kazunii"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:38:30.152038+00:00", "value": {"mitigation_remediation": ["Upgrade the itsukaita plugin to a version higher than 0.1.2, or remove the plugin if it is no longer required.", "If an upgrade is not feasible, exclude the 'day_from' and 'day_to' parameters from any externally visible pages or block access to them through server configuration.", "Apply a website\u2011wide Content Security Policy that disallows inline scripts and enforces strict isolation of script sources."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting that allows injection of arbitrary scripts into pages viewed by administrators"}, "threat_synthesis": {"affected_systems": "The vulnerable component is the WordPress plugin itsukaita, maintained by kazunii, in versions 0.1.2 and earlier. Sites that have installed or upgraded to any of those releases are impacted. Vendors or site operators using older versions should consider them compromised until remedied.", "description_and_impact": "The plugin contains a reflected XSS flaw in the 'day_from' and 'day_to' parameters. Unsanitized user input is reflected into the page output, letting an attacker inject malicious scripts. The injected code runs in the context of the victim\u2019s browser, granting the attacker the ability to steal session data, deface the site, or insert further malicious content. Because the bug exists in all releases up to 0.1.2, any site running an affected version is at risk as soon as an attacker can lure an administrator to click a crafted link.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates a moderate severity. No EPSS information is available, but the availability of the plugin on the public WordPress repository and the lack of authentication requirement make it likely that external attackers can exploit it. The vulnerability is not listed in the CISA KEV catalog. Adversaries typically deliver the exploit through a phishing or malicious link that, when followed by an administrator, triggers the reflected payload."}}}}, "created": "2026-03-23T09:50:10.508972+00:00", "updated": "2026-03-25T14:41:51.320499+00:00", "vendors": ["kazunii", "kazunii$PRODUCT$itsukaita", "wordpress", "wordpress$PRODUCT$wordpress"]}