PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9104 dartiss CVE debrief

CVE-2026-9104 is a stored cross-site scripting issue in the Draft List WordPress plugin. An authenticated attacker with author-level access or higher can place malicious content in a draft post title, and the payload can execute when another user views the affected page, especially when that viewer lacks edit capabilities. Because the vulnerability is stored and can affect unauthenticated users, subscribers, and other low-privilege viewers, it deserves prompt remediation on any site using the plugin.

Vendor
dartiss
Product
Draft List
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-22
Advisory published
2026-05-22
Advisory updated
2026-05-22

Who should care

WordPress site owners, plugin administrators, managed hosting teams, and security responders should care if Draft List is installed, especially on sites where authors or contributors can create draft content. The risk is greatest where low-privilege users or unauthenticated visitors can view pages that render draft titles.

Technical summary

NVD lists the issue as CVSS 3.1 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) with CWE-79. The flaw is described as insufficient input sanitization and output escaping in draft post title handling, allowing stored XSS. The attack requires authenticated access at author level or above, and the script execution path is triggered when the viewer cannot edit the content. The source corpus points to Draft List versions up to and including 2.6.3 as affected, with referenced 2.6.4 source material indicating a corrected release branch.

Defensive priority

Medium-high. The score is medium, but the stored nature of the flaw and the ability to impact lower-privilege or unauthenticated viewers make it more urgent on internet-facing WordPress sites.

Recommended defensive actions

  • Upgrade Draft List beyond 2.6.3; the source corpus references 2.6.4 as the corrected code path.
  • Restrict author-level posting rights to trusted users only.
  • Review any content workflow that exposes draft titles to non-editors or public viewers.
  • Audit the plugin's output handling for proper escaping and sanitize any user-controlled title fields.
  • Temporarily disable the plugin if you cannot verify a fixed release is deployed.
  • Check for suspicious draft titles or unexpected script-bearing markup in recent content records.

Evidence notes

The debrief is based on the supplied NVD record and the referenced Wordfence source materials. NVD provides the CVSS vector, CWE-79 classification, and the affected version range through 2.6.3. The linked WordPress plugin source references for 2.6.3 and 2.6.4 support the vulnerable and fixed-code context. No exploit steps or unsupported product claims are included.

Official resources

Publicly disclosed in the supplied NVD record on 2026-05-22T05:16:28.290Z.