CVE-2026-0813
Stored XSS in WordPress Short Link Plugin Allows Admin Script Injection
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prasanna_sp | short_link | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Short Link WordPress plugin (up to version 1.0) is a Stored Cross-Site Scripting (XSS) issue. It arises because the plugin does not properly sanitize and escape input for the 'short_link_post_title' and 'short_link_page_title' parameters. This allows authenticated users with administrator-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user accesses the affected page, potentially compromising user security. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject arbitrary JavaScript code into pages via the plugin's title parameters. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, or other malicious actions. Although the attacker needs high privileges to exploit this, the impact includes loss of data integrity and user trust, and possible further compromise of the website or its users. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is using the Short Link plugin version 1.0 or earlier. Since the vulnerability involves stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters, you can inspect the plugin settings in the WordPress admin interface for suspicious or unexpected HTML or script tags in these fields. Additionally, you can review the plugin files to confirm the version. There are no specific network commands provided to detect this vulnerability. However, you can use WordPress CLI commands to list installed plugins and their versions, for example: `wp plugin list` to check if 'short-link' plugin version 1.0 is installed. Manual inspection of the plugin options for malicious scripts in the titles is recommended. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict administrator-level access to trusted users only, since exploitation requires authenticated users with admin privileges. 2) Review and sanitize the 'short_link_post_title' and 'short_link_page_title' options in the plugin settings to remove any injected scripts. 3) Disable or deactivate the Short Link plugin until a patched version is available. 4) Consider restoring the plugin's default options by using the 'short_link_default_options_db' setting or by deactivating and reactivating the plugin to reset options. 5) Monitor and audit user inputs and plugin settings regularly to prevent injection of malicious scripts. 6) Keep WordPress and all plugins updated to the latest versions once a fix is released. [1, 2]