WordPress: Malicious Code Can Be Injected via Rejected Posts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

WordPress: Malicious Code Can Be Injected via Rejected Posts

CVE-2026-27317

Summary

If an attacker can trick a WordPress administrator into rejecting a post, they may be able to inject malicious code into the site. This could allow the attacker to perform unauthorized actions on the site. To prevent this, consider restricting or disabling the ability to reject posts via the WordPress admin interface.

Original title

Rejected reason: Not used

Original description

Rejected reason: Not used

Published: 20 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026