CVE-2026-1047
Description
The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_url' parameter in all versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in the WordPress salavat counter plugin (≤0.9.5) allows administrators to inject arbitrary scripts via the image_url parameter.
The salavat counter Plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in all versions up to and including 0.9.5. The issue originates from insufficient input sanitization and output escaping on the 'image_url' parameter, allowing an authenticated attacker to inject arbitrary web scripts [1].
Exploitation requires authentication with administrator-level access or above. The attacker can inject malicious script content via the image_url field, which is then stored and executed whenever a user accesses the affected page. No further privileges or unusual network position is needed beyond the administrator role [1].
An attacker leveraging this vulnerability could execute arbitrary JavaScript in the browser of any user's browser session, potentially leading to session hijacking, defacement, or information theft. The impact is elevated by the fact that the stored payload persists and affects all visitors, including site administrators themselves [1].
The plugin has been closed by its developer as of February 17, 2026, and is no longer available for download due to this security issue [1]. No patched version exists; users are advised to remove the plugin immediately and review their sites for indicators of compromise.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=0.9.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- downloads.wordpress.org/plugin/salavat-counter.zipnvd
- plugins.trac.wordpress.org/browser/salavat-counter/tags/0.9.5/wp-table-options.phpnvd
- plugins.trac.wordpress.org/browser/salavat-counter/trunk/wp-table-options.phpnvd
- wordpress.org/plugins/salavat-counter/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6696b262-c6e5-4413-b7dc-894965daa5acnvd
News mentions
0No linked articles in our index yet.