CVE-2026-1266
Stored XSS in Postalicious WordPress Plugin Allows Admin Script Injection
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pablo_gomez | postalicious | to 3.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Postalicious WordPress plugin up to version 3.0.1. It occurs because the plugin does not properly sanitize or escape input in the admin settings. An authenticated attacker with administrator-level permissions can inject malicious scripts into pages. These scripts execute whenever a user accesses the infected page. This vulnerability affects only multi-site WordPress installations or installations where the unfiltered_html capability is disabled.
How can this vulnerability impact me? :
An attacker with administrator-level access can exploit this vulnerability to inject arbitrary web scripts that execute in the context of other users visiting the affected pages. This can lead to theft of sensitive information, session hijacking, or performing actions on behalf of other users without their consent. Since the vulnerability is stored, the malicious script persists and affects all users who access the injected pages, potentially compromising the entire multi-site WordPress environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Postalicious WordPress plugin version 3.0.1 or earlier is installed on a multi-site WordPress installation with unfiltered_html disabled, and if administrator-level users have injected malicious scripts via admin settings. Since the vulnerability is a stored XSS via admin settings, direct network detection commands are not provided. Instead, detection can be done by reviewing the plugin version in the WordPress admin interface or by checking the plugin files for version 3.0.1 or earlier. Additionally, inspecting the database options related to Postalicious for suspicious script injections in admin settings could help. No specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Postalicious plugin to a version later than 3.0.1 if available, or disabling the plugin if an update is not yet released. Since the vulnerability affects multi-site installations and those with unfiltered_html disabled, ensure that unfiltered_html is enabled if possible, or restrict administrator-level access to trusted users only. Additionally, review and sanitize any admin settings related to the plugin to remove any injected scripts. Consider resetting the plugin settings to defaults to remove any malicious stored scripts. Monitoring and restricting administrator permissions can also reduce risk. [1]