CVE-2026-5247
Stored XSS in PublishPress Future WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| publishpress | future | to 4.10.0 (inc) |
| publishpress | future | 4.10.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-5247 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The Schedule Post Changes With PublishPress Future plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'wrapper' attribute of the [futureaction] shortcode. This vulnerability exists because the plugin does not properly sanitize input for the wrapper attribute. Although it uses esc_html() to escape the value, esc_html() only encodes HTML entities and does not prevent injection of malicious attributes when the value is used as an HTML tag name in a sprintf() call.
An attacker with administrator-level access or higher can exploit this by injecting event handler attributes via spaces in the wrapper value, allowing arbitrary web scripts to be executed whenever a user accesses the affected page. Since administrators can enable this functionality for lower-privileged users, contributors could potentially abuse this vulnerability as well.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with administrator-level access or above to inject malicious scripts into pages viewed by other users. This can lead to unauthorized actions being performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts.
Additionally, because administrators can enable this feature for lower-privileged users, contributors might exploit this vulnerability to perform attacks, increasing the risk of abuse within the WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the vulnerable PublishPress Future plugin version (up to and including 4.10.0) on your WordPress installation.
Since the vulnerability is related to the [futureaction] shortcode's 'wrapper' attribute allowing stored XSS, detection can include searching for usage of this shortcode in posts or pages, especially looking for suspicious or injected event handler attributes within the wrapper attribute.
Commands to assist detection might include:
- Using WP-CLI to check the plugin version: `wp plugin list | grep publishpress-future`
- Searching the WordPress database for the [futureaction] shortcode usage with suspicious attributes, for example via SQL queries or WP-CLI commands to find posts containing the shortcode.
- Manually inspecting posts or pages for injected event handler attributes in the wrapper attribute of the shortcode.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the PublishPress Future plugin to version 4.10.1 or later, where this vulnerability has been patched.
Additionally, restrict the usage of the [futureaction] shortcode to trusted users only, preferably administrators, to reduce the risk of abuse by lower-privileged users.
Review existing content for any injected malicious scripts and remove them if found.