CVE-2026-1809
Stored XSS in WordPress HTML Tag Shortcodes Plugin
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jared_hoylman | html_tag_shortcodes | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The HTML Tag Shortcodes plugin for WordPress, up to and including version 1.1, is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability arises because the plugin does not properly sanitize or escape user-supplied attributes in its shortcodes. Authenticated users with contributor-level access or higher can inject malicious scripts into pages via shortcode attributes. These scripts then execute whenever any user views the infected page.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by searching for instances of the HTML Tag Shortcodes plugin version 1.1 or earlier installed on your WordPress site, especially if contributor-level or higher users have added shortcodes with potentially malicious attributes.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of injected scripts, you can search your WordPress content database for shortcode usage patterns that include suspicious or unexpected script tags or JavaScript event handlers within shortcode attributes.'}, {'type': 'list_item', 'content': "Use SQL queries on the WordPress database to find shortcodes with suspicious attributes, for example: SELECT * FROM wp_posts WHERE post_content LIKE '%[iframe%onload=%' OR post_content LIKE '%[a%onmouseover=%';"}, {'type': 'list_item', 'content': "Use command-line tools like grep to scan WordPress content files or backups for suspicious shortcode usage: grep -r '\\[iframe.*onload=' /path/to/wordpress/wp-content/"}, {'type': 'list_item', 'content': 'Monitor HTTP requests and responses for injected scripts or unusual iframe tags in pages generated by the plugin shortcodes.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the HTML Tag Shortcodes plugin if it is not essential, or restricting contributor-level and above users from adding or editing shortcodes until a patched version is available.
Ensure that user input is sanitized and escaped properly before being output in shortcodes to prevent stored cross-site scripting.
Apply any available updates or patches from the plugin author that address this vulnerability.
Review and clean existing content for injected malicious scripts or shortcodes with unsafe attributes.
Implement web application firewall (WAF) rules to detect and block attempts to exploit this vulnerability.
How can this vulnerability impact me? :
This vulnerability allows attackers with contributor-level access or above to inject arbitrary web scripts into WordPress pages. The impact includes:
- Execution of malicious scripts in the context of users visiting the infected pages.
- Potential theft of user session cookies or credentials.
- Defacement or unauthorized modification of website content.
- Possible redirection to malicious websites or phishing pages.
- Compromise of user trust and website integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know