CVE-2026-1823
Stored XSS in Consensus Embed WordPress Plugin Allows Script Injection
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| consensus_embed | consensus_embed | to 1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Consensus Embed plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.6. This vulnerability occurs because the plugin does not properly sanitize or escape user-supplied attributes in its consensus shortcode. Authenticated users with contributor-level access or higher can inject malicious web scripts into pages. These scripts execute whenever any user accesses the infected page.
Technically, the vulnerability arises in the embed_demo() method of the plugin, which processes shortcode attributes like src, width, height, and lightbox. The plugin embeds these attributes directly into HTML output without sufficient validation or sanitization, especially when the lightbox attribute is true, allowing injection of arbitrary scripts.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with contributor-level access to inject malicious scripts into your WordPress site pages. These scripts will execute in the browsers of any users who visit the affected pages.
- It can lead to theft of user credentials or session cookies.
- It can enable unauthorized actions on behalf of users (such as changing settings or posting content).
- It can be used to deliver malware or redirect users to malicious sites.
- It undermines the trustworthiness and security of your website.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves Stored Cross-Site Scripting (XSS) via the consensus shortcode attributes in the Consensus Embed WordPress plugin. Detection involves identifying pages or posts containing the vulnerable shortcode with potentially malicious script injections.'}, {'type': 'paragraph', 'content': 'You can search your WordPress database for instances of the [consensus] shortcode containing suspicious script tags or unusual attributes.'}, {'type': 'list_item', 'content': 'Use a SQL query to find posts with the shortcode and potential script injections, for example:'}, {'type': 'list_item', 'content': "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[consensus%' AND post_content LIKE '%<script%';"}, {'type': 'paragraph', 'content': 'Additionally, you can scan your web server logs or use web vulnerability scanners to detect XSS payloads triggered by this plugin.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Consensus Embed plugin to a version that fixes the input sanitization and output escaping issues, if such an update is available.
If no update is available, temporarily disable or deactivate the Consensus Embed plugin to prevent exploitation.
Review and sanitize any existing content using the [consensus] shortcode to remove malicious scripts.
Limit contributor-level access and above to trusted users only, as the vulnerability requires authenticated contributor-level access.