{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1559", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-28T19:07:17.909Z", "datePublished": "2026-04-18T01:26:05.210Z", "dateUpdated": "2026-04-18T01:26:05.210Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T01:26:05.210Z"}, "affected": [{"vendor": "youzify", "product": "Youzify \u2013 BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6bd69711-8303-4086-87c3-eb2935a89aff?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/wall/class-youzify-form.php#L506"}, {"url": "https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/wall/class-youzify-form.php#L506"}, {"url": "https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/class-youzify-wall.php#L109"}, {"url": "https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/class-youzify-wall.php#L109"}, {"url": "https://plugins.trac.wordpress.org/changeset/3483281/youzify/trunk/includes/public/core/wall/class-youzify-form.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fyouzify/tags/1.3.6&new_path=%2Fyouzify/tags/1.3.7"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "timeline": [{"time": "2026-04-17T11:35:43.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-1559", "lastModified": "2026-04-18T02:16:11.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-18T02:16:11.187", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/class-youzify-wall.php#L109"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/wall/class-youzify-form.php#L506"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/class-youzify-wall.php#L109"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/wall/class-youzify-form.php#L506"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3483281/youzify/trunk/includes/public/core/wall/class-youzify-form.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fyouzify/tags/1.3.6&new_path=%2Fyouzify/tags/1.3.7"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6bd69711-8303-4086-87c3-eb2935a89aff?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:41:08.584665+00:00", "value": {"mitigation_remediation": ["Update the Youzify plugin to the latest version that removes the vulnerability.", "If an update is not yet available, disable the checkin feature or restrict Subscriber+ roles from accessing it until a patch is applied.", "Verify that all input handling elsewhere in the plugin is properly sanitized to prevent similar XSS issues, and consider enabling a security plugin that enforces output escaping."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) via authenticated checkin_place_id input"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Youzify \u2013 BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. Versions up to and including 1.3.6 are affected. Any user who has Subscriber\u2011level access or higher on the WordPress installation can exploit the flaw.", "description_and_impact": "The vulnerability arises from insufficient input sanitization and output escaping when the checkin_place_id parameter is processed. Allowing authenticated attackers with Subscriber or higher privileges to embed arbitrary JavaScript results in stored XSS that executes whenever any user views the affected page. This can lead to session hijacking, credential theft, malicious redirects, or defacement of content, compromising the confidentiality and integrity of users\u2019 sessions.", "risk_and_exploitability": "The defect has a CVSS score of 6.4, indicating a moderate severity. The EPSS score for this vulnerability is not available, and it is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with Subscriber privileges, making the attack vector internal to the host site. An attacker can inject malicious scripts that are then executed for every user who visits the page, providing a high-impact vector for credential theft or session hijacking. While the need for an authenticated role limits broader exposure, the impact on user accounts warrants prompt remediation."}}}}, "created": "2026-04-18T08:45:41.382482+00:00", "updated": "2026-04-18T08:45:41.382501+00:00", "vendors": []}