PatchSiren cyber security CVE debrief
CVE-2026-11898 videousermanuals CVE debrief
The White Label CMS plugin for WordPress has a Stored Cross-Site Scripting vulnerability via admin settings in all versions up to, and including, 2.7.12. This is due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level permissions can inject web scripts that execute when a user accesses an injected page. This affects multi-site installations and installations where unfiltered_html has been disabled.
- Vendor
- videousermanuals
- Product
- White Label CMS
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Administrators of WordPress installations using the White Label CMS plugin, especially those with multi-site setups or where unfiltered_html is disabled, should assess and mitigate this vulnerability.
Technical summary
The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings. This occurs because the plugin does not properly sanitize input or escape output. An attacker with administrator-level permissions can inject malicious scripts that will be executed when a user views an affected page. This vulnerability is particularly relevant for multi-site installations and those with unfiltered_html disabled.
Defensive priority
Medium priority due to the requirement for administrator-level access and specific configuration (multi-site or unfiltered_html disabled).
Recommended defensive actions
- Update the White Label CMS plugin to a version beyond 2.7.12 if available.
- Restrict administrator-level permissions to trusted users.
- Monitor for suspicious admin activity and injected scripts.
- Consider disabling unfiltered_html if not required.
- Regularly review and update plugins and themes.
Evidence notes
Evidence from the CVE record and NVD detail indicate a Stored Cross-Site Scripting vulnerability in the White Label CMS plugin for WordPress. The CVE was published and last modified on 2026-07-11T07:16:45.213Z. The vulnerability requires administrator-level permissions and affects specific configurations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.213Z and has not been modified since then.