Draft List Plugin Vulnerability (CVE-2026-9104)

On this page

Security Alert Summary

The Draft List plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the handling of draft post titles in all versions up to and including 2.6.3. Insufficient input sanitization and output escaping allow authenticated users with author-level privileges or higher to inject JavaScript that will execute when other users view the affected page, including viewers who lack edit capabilities (such as subscribers or unauthenticated visitors) via attribute-breakout techniques.


CVE Details

  • CVE ID: CVE-2026-9104
  • Affected component: Draft List plugin for WordPress
  • Affected versions: All versions up to and including 2.6.3
  • Published: May 22, 2026 at 5:16:28 AM
  • Last modified: May 22, 2026 at 5:16:28 AM
  • CVSS v3.1: Base score 6.4 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges: Authentication required. Privileges required: Low (author-level or higher).
  • User interaction: None required
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting issue that occurs when draft post titles are not properly sanitized or escaped before being output. An authenticated user with author-level access or higher can embed a payload in a draft post title using attribute-breakout techniques. The plugin renders that title into pages where the viewing user does not have edit capabilities; in that context the output is unescaped and the payload executes in the browser of the viewing user.

The attack is triggered specifically when a viewing user lacks edit capabilities, which allows payloads embedded in draft post titles to execute for subscribers or unauthenticated visitors. The result is arbitrary script execution in the context of the affected site for those viewers. This behavior stems from insufficient input sanitization and output escaping in the plugin code paths that render draft titles.


How This Could Impact Your Website

Consider a small editorial team where an internal author or an external contractor adds or edits draft posts: if an author-level account is used to insert a malicious payload into a draft title, any staff member, contributor, subscriber, or public visitor who views the affected list or page may have that script executed in their browser.

  • Exposure of internal user information such as display names or email addresses presented on the page, depending on page content.
  • Increased risk of targeted phishing or social engineering if an attacker harvests visible information or injects UI elements that mimic site controls.
  • Session or credential theft for users who interact with injected scripts that attempt to capture cookies or perform malicious actions in the user session context.

If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and privileges, especially accounts with author-level access or higher.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior or unexpected content in draft titles and listing pages.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References