AI description
CVE-2026-5721 is associated with two distinct vulnerabilities across different software products, as reported by various sources. According to the National Vulnerability Database (NVD) and other security advisories, this CVE identifies a Stored Cross-Site Scripting (XSS) vulnerability in the `wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin` plugin. This flaw affects all versions up to and including 6.5.0.4 and arises from insufficient input sanitization and output escaping in specific methods (`prepareCellOutput()` of LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes). This could allow unauthenticated attackers to inject arbitrary web scripts into pages if an administrator is deceived into importing data from an attacker-controlled source and the relevant column types are configured. Separately, a recent article from SecurityWeek also references CVE-2026-5721 in connection with a vulnerability found in RabbitMQ, an open-source message broker. This reported issue involves an open management endpoint that could expose the OAuth secret without requiring authentication. The flaw was discovered in an obsolete endpoint within RabbitMQ's management web interface and could be exploited in scenarios where an administrator had configured the broker's confidential password for identity provider authentication. This could potentially allow unauthenticated attackers to acquire the broker's confidential OAuth client secret. This vulnerability was introduced in RabbitMQ version 3.13.0 and has been addressed in subsequent updates, specifically versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15.
- Description
- The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured.
- Source
- security@wordfence.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Primary
- Base score
- 4.7
- Impact score
- 2.7
- Exploitability score
- 1.6
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- security@wordfence.com
- CWE-79
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
2