Shield Security < 13.0.6 - Admin+ Stored Cross-Site Scripting
Description
The Shield Security WordPress plugin before 13.0.6 lacks sanitization in admin notes, allowing high-privilege users to inject stored XSS despite unfiltered_html being disallowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Shield Security WordPress plugin before 13.0.6 lacks sanitization in admin notes, allowing high-privilege users to inject stored XSS despite unfiltered_html being disallowed.
Vulnerability
The Shield Security WordPress plugin, versions before 13.0.6, fails to sanitize and escape admin notes. This stored Cross-Site Scripting (XSS) vulnerability allows administrators to inject arbitrary JavaScript into notes that are later rendered to other users [1].
Exploitation
An attacker with high-privilege access (e.g., Administrator) can craft a malicious admin note containing JavaScript payloads. When other administrators view the notes, the script executes in their browser sessions. The attack requires no user interaction beyond viewing the note and no special network position [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other admin users' sessions, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress installation [1].
Mitigation
The vulnerability is fixed in version 13.0.6, released on January 19, 2022. Users should update to 13.0.6 or later immediately. No workaround is available; applying the patch is the only recommended action [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Shield Securitydescription
- Range: <13.0.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of admin notes allows stored Cross-Site Scripting even when unfiltered_html is disallowed."
Attack vector
An attacker with high-privilege (Admin+) access can inject arbitrary JavaScript into admin notes because the plugin fails to sanitize and escape the note content [ref_id=1]. When other administrators view the notes, the injected script executes in their browser, leading to stored Cross-Site Scripting (XSS) [CWE-79]. This attack works even when the WordPress `unfiltered_html` capability is disallowed, meaning the standard WordPress restriction on raw HTML does not block the payload [ref_id=1].
Affected code
The vulnerability exists in the admin notes functionality of the Shield Security WordPress plugin (wp-simple-firewall). The advisory does not specify exact file or function names, but the flaw is in how the plugin handles admin notes input and output.
What the fix does
The advisory states the vulnerability is fixed in version 13.0.6 of the Shield Security plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper sanitization and escaping to admin note input and output, preventing arbitrary HTML or JavaScript from being stored and rendered. Administrators should update to version 13.0.6 or later.
Preconditions
- authAttacker must have Administrator-level access to the WordPress site
- configThe Shield Security plugin must be installed and active with a version prior to 13.0.6
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/0d276cca-d6eb-4f4c-83dd-fbc03254c679mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.