CVE-2026-0594 – The List Site Contributors WordPress plugin has... (How to Fix)

Q: What is the severity of CVE-2026-0594?

CVE-2026-0594 has a CVSS score of 6.1 (MEDIUM). The List Site Contributors WordPress plugin has a reflected cross-site scripting vulnerability in versions up to 1.1.8. Unauthenticated attackers can inject malicious scripts via the 'alpha' parameter, potentially stealing user credentials or session cookies when victims click specially crafted links. This affects all WordPress sites using vulnerable versions of the plugin.

📋 TL;DR

The List Site Contributors WordPress plugin has a reflected cross-site scripting vulnerability in versions up to 1.1.8. Unauthenticated attackers can inject malicious scripts via the 'alpha' parameter, potentially stealing user credentials or session cookies when victims click specially crafted links. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:

WordPress List Site Contributors plugin

Versions: Up to and including 1.1.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires plugin to be installed and active on WordPress site.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, gain full site control, install backdoors, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking, credential theft from users who click malicious links, or defacement of specific pages.

🟢

If Mitigated

Limited impact if users have script blockers, modern browsers with XSS filters, or clickjacking protection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple reflected XSS requiring user interaction via crafted URL.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.9 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php

Restart Required: No

Instructions:

1. Log into WordPress admin dashboard
2. Navigate to Plugins → Installed Plugins
3. Find 'List Site Contributors' plugin
4. Click 'Update Now' if available
5. Alternatively, download version 1.1.9+ from WordPress repository and manually update

🔧 Temporary Workarounds

Input Validation via .htaccess

linux

Block requests containing script tags in the alpha parameter

RewriteCond %{QUERY_STRING} alpha=.*[<\"'].* [NC]
RewriteRule ^ - [F]

🧯 If You Can't Patch

Disable the List Site Contributors plugin immediately
Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → List Site Contributors version number. If ≤1.1.8, vulnerable.

Check Version:

wp plugin list --name='list-site-contributors' --field=version

Verify Fix Applied:

Confirm plugin version is 1.1.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'alpha' parameter containing script tags or encoded payloads
Unusual referrer URLs with long encoded parameters

Network Indicators:

GET requests to WordPress pages with suspicious 'alpha' parameter values

SIEM Query:

http.url:*alpha=* AND (http.url:*script* OR http.url:*%3C* OR http.url:*javascript*)

📊 Metadata

CVE ID: CVE-2026-0594

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 2.31% exploit probability (84.5th percentile)

Published: January 14, 2026

Last Updated: January 14, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0594, you might also want to check these: