Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting
Description
The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Tabs Shortcode and Widget WordPress plugin through 1.17 allows contributor+ users to inject arbitrary scripts via unsanitized shortcode attributes.
Vulnerability
The Tabs Shortcode and Widget WordPress plugin through version 1.17 fails to validate and escape some shortcode attributes before outputting them in a page or post where the shortcode is embedded. This allows users with the contributor role and above to perform stored cross-site scripting (XSS) attacks [1].
Exploitation
An attacker with contributor-level access or higher can craft a shortcode attribute containing malicious JavaScript. When the shortcode is rendered on a page or post, the unsanitized attribute is output directly, executing the injected script in the browser of any visitor viewing the affected content.
Impact
Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can result in data theft, session hijacking, or defacement of the WordPress site.
Mitigation
As of the publication date, no fix has been released. Users should restrict contributor and higher roles to trusted individuals, or consider disabling the plugin until a patched version becomes available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/6e67bf7f-07e6-432b-a8f4-aa69299aecaf/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.