CVE-2026-1905
Stored XSS in WordPress Sphere Manager Plugin Allows Script Injection
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sphere_manager | plugin | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Sphere Manager plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'width' parameter of the 'show_sphere_image' shortcode in all versions up to and including 1.0.2.
This vulnerability arises because the plugin does not properly sanitize or escape input for this parameter, allowing authenticated users with Contributor-level access or higher to inject arbitrary web scripts.
These injected scripts execute whenever any user accesses a page containing the malicious shortcode, potentially compromising the security of the website and its users.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or higher to inject malicious scripts into pages viewed by other users.
- Execution of arbitrary scripts in users' browsers, potentially leading to session hijacking or theft of sensitive information.
- Defacement or unauthorized modification of website content.
- Potential spread of malware or phishing attacks through injected scripts.
- Loss of user trust and damage to the website's reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Stored Cross-Site Scripting vulnerability in the Sphere Manager plugin for WordPress, you should immediately update the plugin to a version later than 1.0.2 where the vulnerability is fixed.
If an update is not yet available, restrict Contributor-level and higher user access to trusted users only, as the vulnerability requires authenticated users with Contributor-level access or above to exploit.
Additionally, consider disabling or removing the Sphere Manager plugin until a patched version is released to prevent exploitation.