CVE-2026-10531
Deferred Deferred - Pending Action

Stored XSS in AI Share & Summarize WordPress Plugin

Vulnerability report for CVE-2026-10531, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: WPScan

Description

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ai_share_and_summarize wordpress_plugin to 2.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The AI Share & Summarize WordPress plugin versions 2.0.4 and below have a vulnerability where some shortcode attributes, specifically "title_style", are not properly sanitized and escaped before being output on a page.

This flaw allows users with the Contributor role or higher to inject malicious JavaScript code into posts, which is a type of Stored Cross-Site Scripting (XSS) attack.

When an administrator views or previews the compromised post, the injected script executes, potentially enabling attackers to perform unauthorized actions such as creating new admin accounts silently.

Impact Analysis

This vulnerability can have serious impacts including unauthorized privilege escalation and site compromise.

  • Attackers with Contributor or higher roles can inject malicious scripts into posts.
  • When administrators view or preview these posts, the malicious scripts execute.
  • This can allow attackers to silently create new administrator accounts, gaining full control over the WordPress site.
  • Such control can lead to data theft, site defacement, or further exploitation.
Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the "title_style" shortcode attribute in the AI Share & Summarize WordPress plugin version 2.0.4 and below.

To detect this vulnerability on your system, you can check if the plugin version installed is 2.0.4 or below.

Additionally, you can search for posts containing the vulnerable shortcode with suspicious or malicious JavaScript code injected in the "title_style" attribute.

Example commands to help detect the vulnerability include:

  • Check the plugin version installed via WP-CLI: wp plugin list | grep ai-share-and-summarize
  • Search the WordPress database for posts containing the shortcode with the "title_style" attribute: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[ai_share_and_summarize%title_style=%'"
  • Look for suspicious JavaScript code within the "title_style" attribute in the post content.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the AI Share & Summarize WordPress plugin to version 2.0.4 or later, where the issue has been fixed.

Additionally, review and sanitize any posts created or edited by users with Contributor role or higher to ensure no malicious scripts are injected via the "title_style" shortcode attribute.

Limit the permissions of users with Contributor role or higher until the update is applied to reduce the risk of exploitation.

Compliance Impact

The vulnerability allows users with Contributor role or higher to perform Stored Cross-Site Scripting (XSS) attacks, potentially enabling attackers to execute malicious scripts that can create new admin accounts silently.

Such unauthorized access and privilege escalation could lead to unauthorized data access or modification, which may violate data protection requirements under regulations like GDPR and HIPAA.

Therefore, this vulnerability could negatively impact compliance with common standards and regulations by compromising the confidentiality and integrity of sensitive data managed through the affected WordPress plugin.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart