PatchSiren cyber security CVE debrief
CVE-2026-9629 codesupplyco CVE debrief
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2. This vulnerability is due to insufficient input sanitization and output escaping, making it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Vendor
- codesupplyco
- Product
- Canvas
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-13
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-13
- Advisory updated
- 2026-06-13
Who should care
Users of the Canvas plugin for WordPress, particularly those with contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.4 and a CVSS severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the Canvas plugin to a version beyond 2.5.2.
- Limit contributor-level access and above to trusted users.
- Monitor pages for injected scripts.
Evidence notes
Evidence for this vulnerability comes from the National Vulnerability Database (NVD) and Wordfence security research.
Official resources
CVE-2026-9629 was published on 2026-06-13T08:16:12.330Z and has not been modified since then.