CVE-2026-5505
Stored XSS in WP-Clippy WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-clippy | wp-clippy | to 1.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the WP-Clippy plugin allows authenticated attackers with contributor-level access to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized script execution when users access affected pages.
Such a vulnerability could potentially impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or exposure of personal or sensitive data through malicious scripts. However, the provided information does not explicitly detail the compliance impact or any data breaches resulting from this vulnerability.
Can you explain this vulnerability to me?
The WP-Clippy plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'clippy' shortcode in all versions up to and including 1.0.0. This vulnerability arises because the plugin does not properly sanitize or escape user-supplied attributes. As a result, authenticated users with contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute whenever any user accesses the infected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access or above to inject malicious scripts into WordPress pages. These scripts can execute in the browsers of users who visit the affected pages, potentially leading to unauthorized actions such as stealing session cookies, defacing content, or performing actions on behalf of the user without their consent.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the WP-Clippy plugin to a version later than 1.0.0 where the issue is fixed.
Additionally, restrict contributor-level access to trusted users only, as the vulnerability requires authenticated users with contributor-level access or higher to exploit.
Consider reviewing and sanitizing any user-supplied content that uses the clippy shortcode to prevent stored cross-site scripting.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WP-Clippy WordPress plugin versions up to 1.0.0 and involves stored Cross-Site Scripting via the plugin's clippy shortcode. Detection involves identifying if the vulnerable plugin is installed and if any pages contain injected scripts via the clippy shortcode.
To detect the presence of the vulnerable plugin on your WordPress site, you can check the installed plugins list or scan the filesystem for the plugin directory named 'wp-clippy'.
To detect potential exploitation or injected scripts, you can search your WordPress database or page content for suspicious script tags or unusual attributes within the clippy shortcode.
- Use WP-CLI to list installed plugins and check for 'wp-clippy': wp plugin list | grep wp-clippy
- Search the WordPress database for the clippy shortcode usage with possible script injections (requires database access): mysql -u [user] -p[password] -e "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[clippy%]%<script%'"
- Use grep to scan WordPress files for the plugin directory: grep -r 'wp-clippy' /path/to/wordpress/wp-content/plugins/
Note that detection of actual exploitation requires inspecting page content for injected scripts within the clippy shortcode, which may require custom scripts or manual review.