{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2834", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-19T21:16:35.867Z", "datePublished": "2026-04-15T01:25:16.957Z", "dateUpdated": "2026-04-15T13:22:48.260Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T01:25:16.957Z"}, "affected": [{"vendor": "tokenoftrust", "product": "Age Verification & Identity Verification by Token of Trust", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.32.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018description\u2019 parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Age Verification & Identity Verification by Token of Trust <= 3.32.3 - Unauthenticated Stored Cross-Site Scripting via 'description' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d8e037e-c446-44ae-a5ee-bbba938e5edf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/token-of-trust/tags/3.31.4/admin/error-log.php#L4"}, {"url": "https://plugins.trac.wordpress.org/browser/token-of-trust/tags/3.31.4/admin/settings-page/view-logs.php#L13"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "timeline": [{"time": "2026-01-21T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-14T11:34:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:22:40.758648Z", "id": "CVE-2026-2834", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:22:48.260Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2834", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:22:40.758648Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:22:45.487Z"}}], "cna": {"title": "Age Verification & Identity Verification by Token of Trust <= 3.32.3 - Unauthenticated Stored Cross-Site Scripting via 'description' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "tokenoftrust", "product": "Age Verification & Identity Verification by Token of Trust", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.32.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-21T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-04-14T11:34:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d8e037e-c446-44ae-a5ee-bbba938e5edf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/token-of-trust/tags/3.31.4/admin/error-log.php#L4"}, {"url": "https://plugins.trac.wordpress.org/browser/token-of-trust/tags/3.31.4/admin/settings-page/view-logs.php#L13"}], "descriptions": [{"lang": "en", "value": "The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018description\u2019 parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T01:25:16.957Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2834", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:22:48.260Z", "dateReserved": "2026-02-19T21:16:35.867Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T01:25:16.957Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018description\u2019 parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2834", "lastModified": "2026-04-15T04:17:36.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T04:17:36.113", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/token-of-trust/tags/3.31.4/admin/error-log.php#L4"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/token-of-trust/tags/3.31.4/admin/settings-page/view-logs.php#L13"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d8e037e-c446-44ae-a5ee-bbba938e5edf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.32.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Age Verification & Identity Verification by Token of Trust", "source": "cna", "vendor": "tokenoftrust"}, "product": "age_verification_&_identity_verification_by_token_of_trust", "vendor": "tokenoftrust"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T03:50:27.638760+00:00", "value": {"mitigation_remediation": ["Upgrade the Age Verification & Identity Verification by Token of Trust plugin to the latest released version that removes the XSS flaw.", "If an update is not yet available, temporarily deactivate or uninstall the plugin until a fix is provided.", "Apply a Web Application Firewall rule that blocks or sanitizes JavaScript in the \u201cdescription\u201d POST data, which can defuse the immediate threat while the source code is patched."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of the plugin up to and including version 3.32.3. Any WordPress site that has the Age Verification & Identity Verification by Token of Trust plugin installed at or before version 3.32.3 is affected.", "description_and_impact": "The WordPress plugin \"Age Verification & Identity Verification by Token of Trust\" fails to sanitize or escape user input passed to its \u201cdescription\u201d field. When a malicious value is stored, the plugin later outputs it without proper encoding, allowing an attacker to inject arbitrary HTML or JavaScript that runs in the browser of any user who views the affected content. The impact is the ability for an unauthenticated attacker to execute code in the context of site visitors. Based on the description, it is inferred that an attacker could potentially deface pages, exfiltrate data, or hijack user sessions, although these specific outcomes are not explicitly documented.", "risk_and_exploitability": "The CVSS score of 7.2 reflects high severity due to the lack of authentication required to supply the vulnerable input and the widespread availability of the described flaw. The EPSS score is not available, and the vulnerability is not listed in the Known Exploited Vulnerabilities catalog, indicating no confirmed exploitation yet. The likely attack vector is unauthenticated; an attacker can supply a malicious \u2018description\u2019 payload through the plugin\u2019s input mechanism, which is stored without proper encoding, and causes any visitor to the affected page to execute the injected script."}}}}, "created": "2026-04-15T13:49:14.872002+00:00", "updated": "2026-04-15T14:53:34.613996+00:00", "vendors": ["tokenoftrust", "tokenoftrust$PRODUCT$age_verification_&_identity_verification_by_token_of_trust", "wordpress", "wordpress$PRODUCT$wordpress"]}