{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24983", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:46.305Z", "datePublished": "2026-03-25T16:14:35.855Z", "dateUpdated": "2026-03-25T20:23:32.958Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "us-core", "product": "UpSolution Core", "vendor": "UpSolution", "versions": [{"changes": [{"at": "8.42", "status": "unaffected"}], "lessThanOrEqual": "<= 8.41", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "datePublic": "2026-03-25T17:12:18.146Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.<p>This issue affects UpSolution Core: from n/a through <= 8.41.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.This issue affects UpSolution Core: from n/a through <= 8.41."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:35.855Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/us-core/vulnerability/wordpress-upsolution-core-plugin-8-41-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress UpSolution Core plugin <= 8.41 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:17:42.504222Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:23:32.958Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:17:42.504222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:17:43.457Z"}}], "cna": {"title": "WordPress UpSolution Core plugin <= 8.41 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "UpSolution", "product": "UpSolution Core", "versions": [{"status": "affected", "changes": [{"at": "8.42", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 8.41"}], "packageName": "us-core", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:18.146Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/us-core/vulnerability/wordpress-upsolution-core-plugin-8-41-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.This issue affects UpSolution Core: from n/a through <= 8.41.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.<p>This issue affects UpSolution Core: from n/a through <= 8.41.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:35.855Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24983", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:23:32.958Z", "dateReserved": "2026-01-28T09:50:46.305Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:35.855Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.This issue affects UpSolution Core: from n/a through <= 8.41."}], "id": "CVE-2026-24983", "lastModified": "2026-03-25T21:16:32.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:40.740", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/us-core/vulnerability/wordpress-upsolution-core-plugin-8-41-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:15:11.640566+00:00", "value": {"mitigation_remediation": ["Upgrade the UpSolution Core plugin to version 8.42 or later.", "If an upgrade cannot be performed immediately, disable or delete the plugin from the WordPress installation.", "Verify that known input vectors no longer trigger script execution by testing the site with the same payloads.", "Continuously monitor site logs for unusual script activity and update any custom sanitization logic if present."], "summary": {"action": "Immediate Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the WordPress UpSolution Core plugin for all releases up to and including version 8.41. Site administrators running any of these versions are susceptible; specific pre\u20118.41 patches or mitigations are not documented.", "description_and_impact": "Improper neutralization of user input during web page generation allows a malicious actor to inject client\u2011side script that is echoed back to the victim. The flaw is a reflected cross\u2011site scripting vulnerability that can execute arbitrary code in the context of a user\u2019s browser. Because the input is reflected directly, an attacker can target any visitor to the affected site, potentially compromising confidentiality, integrity, or availability of the web application.", "risk_and_exploitability": "The CVSS score is not published, but reflected XSS generally carries a high exploitation probability for unauthenticated users. The likely attack vector is a crafted URL or form input that the plugin echoes without proper encoding. Because the flaw does not require elevated privileges and can be triggered by any visitor, the risk is moderate to high. EPSS data and KEV status are unavailable, but the absence of mitigating controls suggests the vulnerability could be actively exploited by threat actors."}}}}, "created": "2026-03-25T21:34:27.484719+00:00", "updated": "2026-03-25T21:34:27.484770+00:00", "vendors": []}