{"id":"CVE-2023-0926","details":"The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled.","modified":"2026-04-02T08:37:11.530105Z","published":"2024-08-24T02:15:03.993Z","references":[{"type":"WEB","url":"https://wordpress.org/plugins/custom-permalinks/"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/97f8549a-292d-4a6d-8ec0-550467e5cf0f?source=cve"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset/3138206/custom-permalinks/trunk/admin/class-custom-permalinks-post-types-table.php"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset/3138206/custom-permalinks/trunk/admin/class-custom-permalinks-taxonomies-table.php"},{"type":"FIX","url":"https://github.com/samiahmedsiddiqui/custom-permalinks/pull/96"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/samiahmedsiddiqui/custom-permalinks","events":[{"introduced":"0"},{"fixed":"0b0f81431a6c8ea90923f6d4533df99afc00cdf7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.7.0"}]}}],"versions":["v0.7.28","v0.8","v0.9","v0.9.1","v0.9.2","v0.9.3","v1.0.1","v1.0.2","v1.1","v1.2","v1.2.1","v1.2.10","v1.2.11","v1.2.12","v1.2.13","v1.2.14","v1.2.15","v1.2.16","v1.2.17","v1.2.18","v1.2.19","v1.2.2","v1.2.20","v1.2.21","v1.2.21-pre","v1.2.22","v1.2.23","v1.2.24","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.2.8","v1.2.9","v1.3.0","v1.4.0","v1.5.0","v1.5.1","v1.6.0","v1.6.0-alpha","v1.6.0-beta","v1.6.0-beta2","v1.6.0-beta3","v1.6.0-beta4","v1.6.1","v1.6.2","v1.6.3-alpha","v1.7.0","v1.7.1","v2.0.0","v2.0.0-alpha","v2.0.0-alpha.1","v2.0.0-alpha.2","v2.0.1","v2.1.0","v2.2.0","v2.3.0","v2.4.0","v2.5.0","v2.5.1","v2.5.2","v2.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-0926.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}