CVE-2026-1903
Description
The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Stored XSS vulnerability in the Ravelry Designs Widget plugin for WordPress allows contributor+ users to inject arbitrary scripts via the shortcode layout attribute.
Vulnerability
Analysis
The Ravelry Designs Widget plugin for WordPress (versions ≤ 1.0.0) suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The bug resides in the sb_ravelry_designs shortcode, where the layout attribute is not properly sanitized or escaped. User-supplied attributes are passed directly into output without validation, allowing malicious HTML/JavaScript to be stored and later executed [1].
Exploitation
Prerequisites
An attacker must have at least Contributor-level access to a WordPress site (i.e., an authenticated user with the edit_posts capability). No further privileges or special network access are required. The attacker injects malicious script code through the shortcode's layout parameter when creating or editing a post or page containing the shortcode [1].
Impact
Once the payload is stored, it executes in the browser of any user who visits the compromised page. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as cookies and authentication tokens. The attack does not require the victim to have any special role [1].
Mitigation
As of publication, the plugin is unmaintained and no patch has been released. Users are advised to remove the plugin and replace it with an alternative. Since the affected page is a plugin shortcode, disabling or deleting the plugin eliminates the vulnerable surface [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.svn.wordpress.org/ravelry-designs-widget/trunk/ravelry-designs-widget.phpnvd
- plugins.trac.wordpress.org/browser/ravelry-designs-widget/tags/1.0.0/ravelry-designs-widget.phpnvd
- plugins.trac.wordpress.org/browser/ravelry-designs-widget/trunk/ravelry-designs-widget.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6290559d-5902-455c-bc33-7aa3c820162bnvd
News mentions
0No linked articles in our index yet.