CVE-2026-10089
Received Received - Intake

Stored XSS in Insert Pages WordPress Plugin

Vulnerability report for CVE-2026-10089, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpressextensions insert_pages to 3.11.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Insert Pages plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 3.11.4. This occurs because the plugin does not properly escape the custom field keys (meta key names) when rendering pages using the [insert page='ID' display='all'] shortcode. While the custom field values are sanitized, the keys are directly inserted into the HTML without escaping, allowing authenticated users with author-level access or higher to inject malicious scripts. These scripts execute whenever a user views the affected page.

Impact Analysis

This vulnerability can allow attackers with author-level access to inject arbitrary malicious scripts into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions. This compromises the integrity and security of the website and its users.

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) via post custom field keys in the Insert Pages WordPress plugin. Detection involves checking for suspicious or malicious scripts in the custom field keys of posts or pages that use the Insert Pages plugin shortcode.

Since the vulnerability is triggered when the [insert page='ID' display='all'] shortcode is used, you can search your WordPress database for posts or pages containing this shortcode and inspect their custom field keys for suspicious script tags or unusual characters.

Example commands to detect potential exploitation might include:

  • Using WP-CLI to search posts with the shortcode: wp post list --post_type=page --format=ids | xargs -I % wp post get % --field=post_content | grep "\[insert page='[0-9]\+' display='all'\]"
  • Querying the database directly to find suspicious meta keys containing script tags: SELECT post_id, meta_key FROM wp_postmeta WHERE meta_key LIKE '%<script%' OR meta_key LIKE '%javascript:%';

Additionally, monitoring web traffic for reflected or stored XSS payloads targeting pages rendered with this shortcode can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update the Insert Pages plugin to a version later than 3.11.4 where this vulnerability is fixed.

Until an update is applied, you should restrict author-level access and above to trusted users only, as the vulnerability requires authenticated users with author-level permissions to exploit.

You can also audit and sanitize existing custom field keys in your posts and pages to remove any malicious scripts.

As a temporary workaround, avoid using the [insert page='ID' display='all'] shortcode on pages accessible to untrusted users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart