WP Extended Search < 2.1.2 - Contributor+ Stored XSS via Shortcode
Description
The WP Extended Search WordPress plugin before 2.1.2 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<2.1.2+ 1 more
- (no CPE)range: <2.1.2
- (no CPE)range: <2.1.2
Patches
Vulnerability mechanics
Root cause
"Missing input validation and output escaping on a shortcode attribute allows injection of arbitrary JavaScript."
Attack vector
An attacker with a role as low as Contributor can inject arbitrary JavaScript into a shortcode attribute that is not sanitized or escaped by the plugin [ref_id=1]. When the shortcode is rendered on a page, the malicious script executes in the context of any visitor who views that page, leading to Stored Cross-Site Scripting (XSS) [CWE-79]. The attack requires only the ability to create or edit posts containing the vulnerable shortcode.
Affected code
The WP Extended Search plugin before version 2.1.2 contains a shortcode attribute that is not validated or escaped. The advisory does not specify the exact function or file name, but the vulnerable component is the shortcode handler used by the plugin [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 2.1.2, but no patch diff is provided in the bundle [ref_id=1]. The fix presumably adds proper input validation and output escaping to the shortcode attribute that was previously unsanitized, preventing injection of malicious HTML or JavaScript.
Preconditions
- authAttacker must have a WordPress user role of Contributor or higher to create or edit posts containing the vulnerable shortcode.
- configThe WP Extended Search plugin must be installed and active with a version prior to 2.1.2.
Reproduction
The advisory's proof of concept is referenced at the WPScan URL but its full text is not included in the bundle [ref_id=1]. No reproduction steps are available in the provided materials.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/0d9ba176-97be-4b6b-9cf1-6c3047321a1emitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.