What the vulnerability does
01Description
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Explanation of Vulnerability in Simple Terms
02Summary
Makesweat versions 0.1 and earlier contain a cross-site scripting (XSS) vulnerability that allows high-privilege users to inject malicious scripts affecting other users or components. The vulnerability requires high attack complexity and high privileges to exploit. Impact is limited to low-level confidentiality and integrity compromise.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that affect other users or site components.
Potential impact on your site
04Site Impact
High-privilege accounts could be abused to inject scripts affecting site visitors or data integrity.
Conditions required to exploit
05Prerequisites
Attacker must have high-level privileges (e.g., admin or moderator role) and network access.
Key dates
06Disclosure timeline
January 14, 2026
CVE published
April 8, 2026
Record updated