CVE-2026-1910
Stored XSS in UpMenu WordPress Plugin via 'lang' Shortcode Attribute
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| upmenu | online_ordering_for_restaurants | to 3.1 (inc) |
| upmenu | upmenu | to 3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the UpMenu β Online ordering for restaurants plugin for WordPress, specifically in all versions up to and including 3.1. It is a Stored Cross-Site Scripting (XSS) vulnerability that occurs via the 'lang' attribute of the 'upmenu-menu' shortcode.
This vulnerability is caused by insufficient input sanitization and output escaping on user-supplied attributes, which allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts.
These injected scripts execute whenever any user accesses the page containing the injected content.
How can this vulnerability impact me? :
This Stored Cross-Site Scripting vulnerability can allow an attacker with contributor-level access or above to inject malicious scripts into pages on the affected WordPress site.
When other users visit these pages, the malicious scripts will execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the user.
The CVSS score of 6.4 indicates a medium severity impact, with low attack complexity but requiring some privileges (authenticated contributor-level access).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'lang' attribute of the 'upmenu-menu' shortcode in the UpMenu WordPress plugin. Detection involves identifying if the plugin is installed and if the 'lang' attribute in the shortcode is being exploited to inject scripts.
To detect this on your system, you can search for usage of the 'upmenu-menu' shortcode with suspicious or script-containing 'lang' attributes in your WordPress content or database.
- Use WP-CLI to search posts for the shortcode with potential script tags: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[upmenu-menu%lang=%<script%'"
- Manually inspect pages or posts that use the [upmenu-menu] shortcode for unexpected or suspicious JavaScript code in the 'lang' attribute.
- Monitor HTTP traffic for injected scripts originating from pages using the UpMenu plugin, especially from authenticated users with contributor-level access or higher.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this Stored Cross-Site Scripting vulnerability in the UpMenu plugin, immediate steps include:
- Update the UpMenu plugin to a version later than 3.1 where the vulnerability is fixed, if such an update is available.
- Restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least contributor access.
- Temporarily disable or remove the use of the 'lang' attribute in the 'upmenu-menu' shortcode in your WordPress content to prevent exploitation.
- Implement Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via the 'lang' attribute.
- Review and sanitize all user inputs related to the UpMenu plugin shortcodes until a patch is applied.