PatchSiren cyber security CVE debrief

CVE-2026-10553 weaverlancegmailcom CVE debrief

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 1.4. This vulnerability is due to missing or incorrect nonce validation on the jqFootNotes_options_subpanel function. An unauthenticated attacker can exploit this vulnerability to update the plugin's settings with arbitrary values. Because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, this can be chained into persistent Cross-Site Scripting (XSS) affecting all site visitors via a forged request, provided the attacker can trick a site administrator into performing an action such as clicking on a link.

Vendor: weaverlancegmailcom
Product: jQuery Hover Footnotes
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-09
Original CVE updated: 2026-06-09
Advisory published: 2026-06-09
Advisory updated: 2026-06-09

Who should care

Users of the jQuery Hover Footnotes plugin for WordPress, particularly those with versions up to and including 1.4, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability has a CVSS score of 4.3 and a severity rating of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The weakness is categorized as CWE-352.

Defensive priority

MEDIUM

Recommended defensive actions

Update the jQuery Hover Footnotes plugin to a version beyond 1.4.
Implement proper nonce validation for the jqFootNotes_options_subpanel function.
Ensure that user input is properly sanitized and escaped before being rendered on the frontend.

Evidence notes

Evidence for this vulnerability comes from the National Vulnerability Database (NVD) and Wordfence security research.

Official resources

CVE-2026-10553 was published on 2026-06-09T05:16:29.830Z and modified on 2026-06-09T13:33:34.393Z.