CVE-2026-1891
Stored XSS in Simple Football Scoreboard WordPress Plugin Allows Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simple_football_scoreboard | 1.0 | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-1891 is a Stored Cross-Site Scripting (XSS) vulnerability in the Simple Football Scoreboard WordPress plugin (version 1.0 and earlier). It arises because the plugin does not sufficiently sanitize and escape user-supplied attributes in the 'ytmr_fb_scoreboard' shortcode."}, {'type': 'paragraph', 'content': 'Authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages using this shortcode. These scripts then execute whenever any user views the affected page, potentially compromising site security.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into web pages via the scoreboard shortcode. These scripts execute in the context of users visiting those pages.
- It can lead to theft of user credentials or session tokens.
- It may enable unauthorized actions on behalf of users (e.g., changing settings or content).
- It can facilitate the spread of malware or phishing attacks.
- It undermines the integrity and trustworthiness of the affected website.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the Simple Football Scoreboard WordPress plugin version 1.0 or earlier, which is vulnerable to Stored Cross-Site Scripting via the 'ytmr_fb_scoreboard' shortcode. Detection involves identifying the presence of this plugin and checking for usage of the vulnerable shortcode with potentially malicious input."}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can:'}, {'type': 'list_item', 'content': 'Check if the Simple Football Scoreboard plugin (version 1.0 or earlier) is installed and active on your WordPress site.'}, {'type': 'list_item', 'content': "Search your WordPress content (posts, pages, widgets) for the shortcode '[ytmr_fb_scoreboard]' which is the vector for the vulnerability."}, {'type': 'list_item', 'content': 'Look for suspicious or unexpected script tags or JavaScript code embedded within the shortcode attributes or output.'}, {'type': 'paragraph', 'content': 'Suggested commands (to be run on the server hosting the WordPress site) include:'}, {'type': 'list_item', 'content': 'Use WP-CLI to list installed plugins and their versions: `wp plugin list`'}, {'type': 'list_item', 'content': 'Search the WordPress database for usage of the shortcode: `wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE \'%[ytmr_fb_scoreboard]%\'"`'}, {'type': 'list_item', 'content': 'Search for suspicious script tags in posts or options: `wp db query "SELECT option_name, option_value FROM wp_options WHERE option_value LIKE \'%<script>%\'"`'}, {'type': 'list_item', 'content': 'Manually inspect pages or posts containing the shortcode for injected scripts.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps for CVE-2026-1891 include:'}, {'type': 'list_item', 'content': 'Update or remove the Simple Football Scoreboard plugin if an updated, patched version is available.'}, {'type': 'list_item', 'content': 'If no update is available, disable or uninstall the plugin to prevent exploitation.'}, {'type': 'list_item', 'content': "Review and sanitize all content using the '[ytmr_fb_scoreboard]' shortcode to remove any injected malicious scripts."}, {'type': 'list_item', 'content': 'Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated access at Contributor level or above.'}, {'type': 'list_item', 'content': 'Implement Web Application Firewall (WAF) rules to detect and block attempts to inject malicious scripts via shortcode parameters.'}, {'type': 'paragraph', 'content': 'Long term, ensure that all user inputs are properly sanitized and escaped before output, and monitor for plugin updates addressing this vulnerability.'}] [1, 3]