CVE-2026-1853
Description
The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in BuddyHolis ListSearch plugin for WordPress allows authenticated contributors to inject arbitrary scripts via shortcode attributes.
Vulnerability
Overview The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.1. The vulnerability exists because the plugin's 'listsearch' shortcode does not sufficiently sanitize user-supplied attributes or escape output, allowing arbitrary script injection [1].
Exploitation
An attacker must be authenticated with at least contributor-level access to the WordPress site. By injecting malicious JavaScript into the shortcode attributes, the attacker can create a page that, when visited, executes the script in the context of other users' browsers.
Impact
Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing content. Any user accessing the compromised page is affected.
Mitigation
The plugin has been closed as of February 6, 2026, due to this security issue [1]. Users are advised to remove or replace the plugin with an alternative. No patch is available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.