PatchSiren cyber security CVE debrief
CVE-2026-7662 joshin85 CVE debrief
The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute which is injected directly into inline JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Vendor
- joshin85
- Product
- Plugin Name: ePaperFlip Publisher
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of the ePaperFlip Publisher plugin for WordPress, particularly those with Contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.4 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the ePaperFlip Publisher plugin to a version that fixes the vulnerability.
- Limit access to the plugin's functionality to trusted users only.
- Monitor pages for injected scripts.
Evidence notes
The vulnerability was reported by [email protected] and is referenced in the CVE record.
Official resources
CVE-2026-7662 was published on 2026-06-09T05:16:39.240Z and modified on 2026-06-09T13:33:34.393Z.