cleantalk
Vulnerabilities and Security Researches

jQuery Hover Footnotes, CVE-2026-10738

CVE, Research URL

CVE-2026-10738

Home page URL

Security reports for jQuery Hover Footnotes

Application

jQuery Hover Footnotes

Published on
Jun 09, 2026
Research Description
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core's wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts.
Affected versions
max 1.4.
Status
vulnerable
Previous vulnerability researches
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2024-10542) , Nov 26, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2024-10781) , Nov 26, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk , Aug 02, 2024
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2026-8071) , Jun 11, 2026
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2021-24295) , Jun 07, 2024
New vulnerability
Store Locator WordPress (CVE-2026-9060) , Jun 11, 2026
Woody code snippets – Insert Header Footer Code, AdSense Ads (CVE-2017-20251) , Jun 11, 2026
Custom Blocks Constructor – Lazy Blocks (CVE-2026-8981) , Jun 11, 2026
jQuery Hover Footnotes (CVE-2026-10738) , Jun 11, 2026
jQuery Hover Footnotes (CVE-2026-10553) , Jun 11, 2026