CVE-2026-5721

Published Apr 20, 2026

Last updated 3 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-5721 is associated with two distinct vulnerabilities across different software products, as reported by various sources. According to the National Vulnerability Database (NVD) and other security advisories, this CVE identifies a Stored Cross-Site Scripting (XSS) vulnerability in the `wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin` plugin. This flaw affects all versions up to and including 6.5.0.4 and arises from insufficient input sanitization and output escaping in specific methods (`prepareCellOutput()` of LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes). This could allow unauthenticated attackers to inject arbitrary web scripts into pages if an administrator is deceived into importing data from an attacker-controlled source and the relevant column types are configured. Separately, a recent article from SecurityWeek also references CVE-2026-5721 in connection with a vulnerability found in RabbitMQ, an open-source message broker. This reported issue involves an open management endpoint that could expose the OAuth secret without requiring authentication. The flaw was discovered in an obsolete endpoint within RabbitMQ's management web interface and could be exploited in scenarios where an administrator had configured the broker's confidential password for identity provider authentication. This could potentially allow unauthenticated attackers to acquire the broker's confidential OAuth client secret. This vulnerability was introduced in RabbitMQ version 3.13.0 and has been addressed in subsequent updates, specifically versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15.

Description
The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured.
Source
security@wordfence.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Primary
Base score
4.7
Impact score
2.7
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-79

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

2