CVE-2026-2714
Stored XSS in WordPress Institute Management Plugin (Multi-site
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_plugin | institute_management | to 5.5 (inc) |
| wpninjas | institute_management | to 5.5 (inc) |
| wpplugins | institute_management | to 5.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Institute Management plugin for WordPress, specifically in the 'Enquiry Form Title' setting. It is a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient input sanitization and output escaping.
Authenticated attackers with Administrator-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page.
This vulnerability affects all versions up to and including version 5.5, but only impacts multi-site installations or installations where the unfiltered_html capability has been disabled.
How can this vulnerability impact me? :
This vulnerability allows attackers with high-level access to inject malicious scripts into web pages, which can then execute in the context of users visiting those pages.
The impact includes potential theft of user credentials, session hijacking, defacement, or other malicious actions performed via the injected scripts.
Since the vulnerability requires Administrator-level access, the risk is somewhat limited to insiders or compromised admin accounts, but it still poses a significant threat to site integrity and user security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that you update the Institute Management plugin for WordPress to a version later than 5.5 where the issue is fixed.
Additionally, restrict Administrator-level access to trusted users only, as exploitation requires such privileges.
If you are running a multi-site installation or have disabled unfiltered_html, consider enabling input sanitization and output escaping measures or temporarily disabling the plugin until a patch is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Institute Management plugin for WordPress in versions up to and including 5.5, specifically in multi-site installations or where unfiltered_html is disabled. Detection involves verifying the plugin version and configuration.
To detect if your system is vulnerable, you can check the installed version of the Institute Management plugin and confirm if it is version 5.5 or earlier.
You can use the following command to list installed WordPress plugins and their versions via WP-CLI:
- wp plugin list --path=/path/to/wordpress
Look for the 'institute_management' plugin and check its version. If it is 5.5 or below, your installation may be vulnerable.
Additionally, verify if your WordPress installation is a multi-site setup and whether the 'unfiltered_html' capability is disabled for administrators, as the vulnerability only affects such configurations.
There are no specific network detection commands or signatures provided in the available resources.