MEDIUM 6.4

CVE-2026-10738: jQuery Hover Footnotes Plugin Stored XSS Vulnerability

The jQuery Hover Footnotes plugin for WordPress allows attackers who can write or edit content on a site (author-level access or higher) to hide malicious scripts inside footnote markup. These scripts execute whenever anyone views the affected page. The vulnerability exists because the plugin doesn't properly clean user input before storing it, and the hidden scripts bypass WordPress's built-in protections by using a specific syntax that avoids HTML tags.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core's wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10738 is a Stored Cross-Site Scripting (XSS) vulnerability in jQuery Hover Footnotes versions up to and including 1.4. The plugin uses a double-brace syntax ('{{...}}') to denote footnote qualifiers, but fails to sanitize this input before database storage. The attack vector exploits attribute-context breakout payloads—typically a double-quote followed by an event handler—which contain no angle brackets and therefore pass through WordPress's wp_kses_post() filter, which is designed to strip disallowed tags but does not validate attribute content. Once stored, the payload executes in the context of any user viewing the page.

Business impact

A compromised WordPress site using this plugin can serve malicious content to all visitors without additional user interaction. An author-level attacker could deface pages, steal session tokens or cookies from readers, redirect visitors to malicious sites, or harvest credentials. The impact scales with site traffic and user privilege levels of readers. For sites where authors are third-party contributors or freelancers, this represents a significant supply-chain or content-management risk.

Affected systems

All WordPress installations using the jQuery Hover Footnotes plugin in version 1.4 or earlier are affected. The vulnerability requires the attacker to have author-level (or higher) permissions, which typically includes Contributors, Authors, Editors, and Administrators. The attack executes in all user browsers that access an injected page.

Exploitability

Exploitability is straightforward for authenticated users with author or higher privilege. The attack requires no special tools or user interaction from victims—it is automatically triggered when a page containing the malicious footnote is viewed. No network-specific conditions or unusual software configurations are required. However, the attacker must first gain or already possess author-level access, which acts as a practical barrier in many WordPress environments.

Remediation

Update jQuery Hover Footnotes to a version newer than 1.4 (verify the specific patched version against the plugin's official repository or vendor advisory). If an update is not immediately available, disable or deactivate the plugin. For sites where author accounts may be compromised, audit recent page and post edits for suspicious footnote syntax and remove any anomalous content.

Patch guidance

Check the WordPress Plugin Directory or the plugin vendor's site for version 1.5 or later, which should include input sanitization and output escaping fixes. Apply the update to all WordPress installations running this plugin. Before updating, back up your WordPress database and theme customizations. After patching, verify that existing footnotes render correctly and that no stored malicious payloads remain in the database.

Detection guidance

Search your WordPress database (wp_posts table) for footnote content containing attribute-breakout patterns, particularly double-quotes followed by event handlers (onload=, onerror=, onclick=, etc.) within the {{...}} syntax. Review the post_modified_gmt timestamps and post_modified_by user IDs for any suspicious edits by author-level accounts. Monitor web server logs for unusual script execution or console errors on pages using the plugin. Consider enabling WordPress security logging to track edits to posts containing this plugin's syntax.

Why prioritize this

Although the CVSS score is MEDIUM (6.4) and the vulnerability is not listed as actively exploited in KEV, Stored XSS in a page-rendering context poses direct risk to all site visitors. The relatively low barrier to exploitation for existing authors and the lack of a patched version availability at time of publication warrant timely action. Prioritize if author accounts are managed by external contributors, if your site has high traffic, or if reader accounts hold sensitive privileges.

Risk score, explained

CVSS 3.1 score of 6.4 (MEDIUM) reflects: Network-based attack vector (AV:N), low attack complexity (AC:L), and requirement for low privileges—specifically author-level access (PR:L). The impact is limited in scope (S:C, confidentiality and integrity only, no availability impact). The score does not account for the fact that Stored XSS is often treated more severely in practice than reflected in CVSS; security teams should consider contextual factors such as site criticality and user demographics when prioritizing.

Frequently asked questions

What is the difference between this vulnerability and reflected XSS?

Reflected XSS typically requires a victim to click a malicious link; the payload is sent in the request and echoed back by the server. Stored XSS persists in the database and executes automatically for every visitor, making it significantly more dangerous and affecting a much larger audience without any user interaction needed.

Can this vulnerability be exploited by users with lower permissions, such as Contributors?

Contributors in WordPress can typically draft and submit posts but cannot publish them; Editors and Administrators can publish and approve content. The vulnerability requires author-level access or higher to directly inject malicious footnotes. However, if a lower-privilege account is compromised or if permissions are misconfigured, the risk surface expands.

Will updating the plugin delete my existing footnotes?

A proper security update should preserve existing data while adding sanitization to new input. However, malicious payloads stored before the update will still be present in the database. After updating, audit and clean any suspicious content, and consider running a post-update integrity check.

Does WordPress's built-in security filter wp_kses_post() prevent this attack?

No. wp_kses_post() strips disallowed HTML tags but does not validate the content of allowed HTML attributes. An attribute-breakout payload (e.g., a quote followed by an event handler) contains no tags, so it passes through. The plugin itself must sanitize input before storage and escape output appropriately for the HTML context.

This analysis is based on the CVE record published 2026-06-09 and modified 2026-06-17. Patch availability, vendor response timelines, and exploitation status may change; verify current status with the WordPress Plugin Directory and official vendor advisories before deployment. CVSS scores are provided for reference and do not represent a complete risk assessment; organizations should evaluate business context, asset criticality, and threat landscape when prioritizing remediation. No proof-of-concept code or weaponized exploit details are provided in this document. Always test security updates in a non-production environment before applying to live systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).