CVE-2026-1889

The Outgrow plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability in its shortcode functionality. The flaw exists because the plugin insufficiently sanitizes and escapes user-supplied attributes, specifically the id attribute of the [outgrow] shortcode [1]. Versions up to and including 2.1 are affected.

Exploitation of this vulnerability requires the attacker to have at least contributor-level access to the WordPress site. The attacker can inject arbitrary web scripts through the vulnerable attribute when creating or editing a post or page. The injected script will then execute whenever any user visits the affected page.

Successful exploitation allows an attacker to execute malicious JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or redirection to malicious sites. The impact is somewhat limited by the need for an authenticated account, but contributor accounts are often widely distributed.

The plugin has been closed on the WordPress.org plugin directory as of March 2026 due to this security issue [1]. Site administrators who are still using the plugin should remove or replace it, as no patched version is available.