CVE-2026-1854

Vulnerability

Overview The Post Flagger plugin for WordPress, in all versions up to and including 1.1, contains a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's flag shortcode. This flaw allows authenticated users with at least contributor-level access to inject arbitrary web scripts [1].

Exploitation

Conditions An attacker must have a WordPress account with contributor-level permissions or higher to exploit this vulnerability. By crafting a malicious value for a shortcode attribute, the attacker can inject JavaScript or other scripts into a post or page. When any user, including site administrators or visitors, accesses the affected page, the injected script executes within the browser context of that user [1].

Impact

Successful exploitation enables the attacker to perform a variety of malicious actions, including stealing session cookies, defacing the site, redirecting users to other sites, or performing actions on behalf of the victim. Since the script executes in the context of the logged-in user's session, it can lead to privilege escalation or data theft depending on the victim's role.

Mitigation

Status The Post Flagger plugin has been closed by its developers as of March 6, 2026, due to this security issue, and it is no longer available for download from the WordPress plugin repository. Users who have the plugin installed should immediately remove it from their sites, as no patched version is expected to be released [1].