DukaPress plugin allows malicious code injection via user input

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.1

DukaPress plugin allows malicious code injection via user input

CVE-2026-2466

Summary

The DukaPress WordPress plugin is vulnerable to a security issue that could allow an attacker to inject malicious code into a website. This could potentially affect any website using the plugin, especially those with administrative access, and allow an attacker to take control of the site. To fix this, update the DukaPress plugin to version 3.2.5 or later.

Original title

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against ...

Original description

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://wpscan.com/vulnerability/2843e8fe-0c02-48ee-ada3-f1c3d1ee73eb/

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026