CVE-2026-1569
Stored XSS in Wueen WordPress Plugin via Shortcode Attributes
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through its `wueen-blocket` shortcode in all versions up to and including 0.2.0. This vulnerability arises because the plugin does not properly sanitize or escape user-supplied attributes. As a result, authenticated attackers with contributor-level access or higher can inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the infected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access to inject malicious scripts into WordPress pages via the Wueen plugin's shortcode. The impact includes the execution of arbitrary scripts in the context of users visiting the affected pages, which can lead to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the vulnerability requires authenticated access, it primarily threatens sites where contributors or higher roles are present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Wueen WordPress plugin's shortcode `wueen-blocket` allowing stored cross-site scripting via insufficient input sanitization and output escaping. Detection would focus on identifying the presence of this plugin version (up to 0.2.0) and monitoring for suspicious shortcode usage or injected scripts in pages.
To detect the vulnerability on your system, you can check if the Wueen plugin version 0.2.0 or earlier is installed in your WordPress environment.
- Use WP-CLI to list installed plugins and their versions: `wp plugin list`
- Search for the shortcode usage in your WordPress content database: `wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[wueen-blocket%'"`
- Inspect pages or posts for injected scripts or unusual content within the shortcode output.
Network detection of exploitation attempts is difficult because the attack requires authenticated contributor-level access and involves stored scripts executed in users' browsers. Monitoring for unusual POST requests or changes to posts containing the shortcode may help.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or updating the vulnerable Wueen plugin to a version that fixes the input sanitization and output escaping issues.
- If an update is not available, disable or uninstall the Wueen plugin to prevent exploitation.
- Restrict contributor-level user permissions to trusted users only, as the vulnerability requires authenticated contributor-level access or higher.
- Review and sanitize existing content that uses the `[wueen-blocket]` shortcode to remove any injected malicious scripts.
- Monitor your WordPress site for suspicious activity, including unexpected changes to posts or shortcode usage.