← Back
2026-04-08 6:43CVE-2026-5508Wordfence
PUBLISHED5.2CWE-79

WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wowpress` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Problem type

Affected products

theyeti

WowPress

<= 1.0.0 - AFFECTED

References

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/893fa8c6-dcb4-4613-a836-8c717f859696?source=cve

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wowpress/tags/1.0.0/wowpress.php#L22

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wowpress/trunk/wowpress.php#L22

GitHub Security Advisories

GHSA-x9gr-2hg2-49rr

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ...

https://github.com/advisories/GHSA-x9gr-2hg2-49rr

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wowpress shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-5508

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wowpress/tags/1.0.0/wowpress.php#L22

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wowpress/trunk/wowpress.php#L22

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/893fa8c6-dcb4-4613-a836-8c717f859696?source=cve

github.com

https://github.com/advisories/GHSA-x9gr-2hg2-49rr

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-5508
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-5508",
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "dateUpdated": "2026-04-08T06:43:40.553Z",
    "dateReserved": "2026-04-03T16:49:06.144Z",
    "datePublished": "2026-04-08T06:43:40.553Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence",
        "dateUpdated": "2026-04-08T06:43:40.553Z"
      },
      "title": "WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes",
      "descriptions": [
        {
          "lang": "en",
          "value": "The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wowpress` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "affected": [
        {
          "vendor": "theyeti",
          "product": "WowPress",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "1.0.0"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/893fa8c6-dcb4-4613-a836-8c717f859696?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wowpress/tags/1.0.0/wowpress.php#L22"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wowpress/trunk/wowpress.php#L22"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-04-07T17:36:55.000Z",
          "lang": "en",
          "value": "Disclosed"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "zakaria",
          "type": "finder"
        }
      ]
    }
  }
}