CVE-2026-8494 mbis CVE debrief

Who should care

WordPress administrators and users with Contributor-level access and above who use the Permalink Manager Lite plugin should be aware of this vulnerability and take steps to mitigate it. This vulnerability could allow attackers to inject malicious scripts, potentially leading to unauthorized actions or data breaches.

Technical summary

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface. The vulnerability exists due to insufficient output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. These scripts will execute when an administrator accesses the Permalink Manager page. The vulnerability is tracked as CVE-2026-8494 and has a CVSS score of 6.4.

Defensive priority

High

Recommended defensive actions

• Update Permalink Manager Lite to a patched version (if available)
• Limit Contributor-level access and above to only trusted users
• Regularly monitor Permalink Manager pages for suspicious activity
• Implement a Web Application Firewall (WAF) to detect and prevent XSS attacks
• Keep WordPress and all plugins up-to-date with the latest security patches
• Use a security plugin to scan for vulnerabilities and monitor site integrity

Evidence notes

The vulnerability was reported by [email protected] and is documented in the CVE-2026-8494 record on CVE.org and NVD. The vulnerability affects all versions of Permalink Manager Lite up to 2.5.3.3.

Official resources