PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11898 videousermanuals CVE debrief

The White Label CMS plugin for WordPress has a Stored Cross-Site Scripting vulnerability via admin settings in all versions up to, and including, 2.7.12. This is due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level permissions can inject web scripts that execute when a user accesses an injected page. This affects multi-site installations and installations where unfiltered_html has been disabled.

Vendor
videousermanuals
Product
White Label CMS
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Administrators of WordPress installations using the White Label CMS plugin, especially those with multi-site setups or where unfiltered_html is disabled, should assess and mitigate this vulnerability.

Technical summary

The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings. This occurs because the plugin does not properly sanitize input or escape output. An attacker with administrator-level permissions can inject malicious scripts that will be executed when a user views an affected page. This vulnerability is particularly relevant for multi-site installations and those with unfiltered_html disabled.

Defensive priority

Medium priority due to the requirement for administrator-level access and specific configuration (multi-site or unfiltered_html disabled).

Recommended defensive actions

  • Update the White Label CMS plugin to a version beyond 2.7.12 if available.
  • Restrict administrator-level permissions to trusted users.
  • Monitor for suspicious admin activity and injected scripts.
  • Consider disabling unfiltered_html if not required.
  • Regularly review and update plugins and themes.

Evidence notes

Evidence from the CVE record and NVD detail indicate a Stored Cross-Site Scripting vulnerability in the White Label CMS plugin for WordPress. The CVE was published and last modified on 2026-07-11T07:16:45.213Z. The vulnerability requires administrator-level permissions and affects specific configurations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.213Z and has not been modified since then.