Threat Entry Updated 2026-06-17

CVE-2026-8494 - Permalink Manager Plugin

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in the admin Permalink Manager page that will execute whenever an administrator accesses the Permalink Manager page.

PLUGIN Permalink Manager

CVE-2026-8494

MEDIUM CVSS 6.4 2026-06-17

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-09-13

CVE-2024-8195 - Permalink Manager Plugin

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'debug_data', 'debug_query', and 'debug_redirect' functions in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to extract sensitive data including password, title, and content of password-protected posts.

PLUGIN Permalink Manager

CVE-2024-8195

MEDIUM CVSS 5.3 2024-08-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-0201 - Permalink Manager Plugin

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Permalink Manager

CVE-2022-0201

MEDIUM CVSS 6.1 2022-02-14

Risk Score

Open Full Technical Breakdown