CVE-2026-2427 - Vulnerability Details

The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kazunii	Itsukaita
Wordpress	Wordpress

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/itsukaita/tags/0.1.2/itsukaita.php#L55
https://plugins.trac.wordpress.org/browser/itsukaita/trunk/itsukaita.php#L55
https://www.wordfence.com/threat-intel/vulnerabilities/id/a0010ee3-1016-479f-ae60-5d5900862489?source=cve

History

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kazunii Kazunii itsukaita Wordpress Wordpress wordpress
Vendors & Products		Kazunii Kazunii itsukaita Wordpress Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Title		itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/itsukaita/tags/0.1.2/itsukaita.php#L55 https://plugins.trac.wordpress.org/browser/itsukaita/trunk/itsukaita.php#L55 https://www.wordfence.com/threat-intel/vulnerabilities/id/a0010ee3-1016-479f-ae60-5d5900862489?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-21T03:26:57.391Z

Updated: 2026-03-21T03:26:57.391Z

Reserved: 2026-02-12T20:45:42.734Z

Link: CVE-2026-2427

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-21T04:17:01.217

Modified: 2026-03-21T04:17:01.217

Link: CVE-2026-2427

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object