CVE-2026-5247
Deferred Deferred - Pending Action
Stored XSS in PublishPress Future WordPress Plugin

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5247
EUVD
EUVD-2026-27191
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
publishpress future to 4.10.0 (inc)
publishpress future 4.10.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Schedule Post Changes With PublishPress Future plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'wrapper' attribute of the [futureaction] shortcode. This vulnerability exists because the plugin does not properly sanitize input for the wrapper attribute. Although it uses esc_html() to escape the value, esc_html() only encodes HTML entities and does not prevent injection of malicious attributes when the value is used as an HTML tag name in a sprintf() call.

An attacker with administrator-level access or higher can exploit this by injecting event handler attributes via spaces in the wrapper value, allowing arbitrary web scripts to be executed whenever a user accesses the affected page. Since administrators can enable this functionality for lower-privileged users, contributors could potentially abuse this vulnerability as well.

Impact Analysis

This vulnerability allows authenticated users with administrator-level access or above to inject malicious scripts into pages viewed by other users. This can lead to unauthorized actions being performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts.

Additionally, because administrators can enable this feature for lower-privileged users, contributors might exploit this vulnerability to perform attacks, increasing the risk of abuse within the WordPress site.

Compliance Impact

The provided information does not specify how the CVE-2026-5247 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves identifying the presence of the vulnerable PublishPress Future plugin version (up to and including 4.10.0) on your WordPress installation.

Since the vulnerability is related to the [futureaction] shortcode's 'wrapper' attribute allowing stored XSS, detection can include searching for usage of this shortcode in posts or pages, especially looking for suspicious or injected event handler attributes within the wrapper attribute.

Commands to assist detection might include:

  • Using WP-CLI to check the plugin version: `wp plugin list | grep publishpress-future`
  • Searching the WordPress database for the [futureaction] shortcode usage with suspicious attributes, for example via SQL queries or WP-CLI commands to find posts containing the shortcode.
  • Manually inspecting posts or pages for injected event handler attributes in the wrapper attribute of the shortcode.
Mitigation Strategies

The immediate mitigation step is to update the PublishPress Future plugin to version 4.10.1 or later, where this vulnerability has been patched.

Additionally, restrict the usage of the [futureaction] shortcode to trusted users only, preferably administrators, to reduce the risk of abuse by lower-privileged users.

Review existing content for any injected malicious scripts and remove them if found.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart