WordPress Eyes Only: User Access Shortcode Plugin <= 1.8.2 is vulnerable to Cross Site Scripting (XSS)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Stored XSS in Eyes Only: User Access Shortcode plugin <=1.8.2 requires admin authentication; plugin removed from WordPress.org.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Eyes Only: User Access Shortcode plugin <=1.8.2 requires admin authentication; plugin removed from WordPress.org.
Vulnerability
Authored stored cross-site scripting (XSS) vulnerability in the Eyes Only: User Access Shortcode plugin for WordPress, versions 1.8.2 and earlier. An attacker with admin-level privileges can inject malicious JavaScript into stored shortcode settings, which is later rendered on pages using the shortcode.
Exploitation
The attacker must have admin credentials to the WordPress site. They can then insert arbitrary JavaScript code into the plugin's configuration (e.g., shortcode parameters). When other users visit pages containing the shortcode, the injected script executes in their browsers.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' sessions. This can lead to session hijacking, defacement, or theft of sensitive information, potentially compromising the entire WordPress site.
Mitigation
The plugin was closed on January 18, 2023, and removed from the WordPress.org plugin directory due to a security issue [1]. No patched version is available. Users should uninstall the plugin immediately and seek alternative solutions.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.8.2+ 1 more
- (no CPE)range: <=1.8.2
- (no CPE)range: n/a
Patches
0eyes-only-user-access-shortcodeThis plugin has been removed from the WordPress.org directory on 2023-01-18 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.