Medium severity6.4NVD Advisory· Published Apr 22, 2026· Updated Apr 22, 2026

CVE-2026-6236

Description

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Posts map WordPress plugin (≤0.1.3) suffers from stored XSS via the 'name' shortcode attribute, allowing contributor-level attackers to inject arbitrary scripts.

Vulnerability

Details

The Posts map plugin for WordPress, versions up to and including 0.1.3, contains a stored cross-site scripting (XSS) vulnerability in the name shortcode attribute. The flaw arises from insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious input to be stored and later rendered unsafely.

Exploitation

An authenticated attacker with at least contributor-level access can exploit this by crafting a shortcode with a malicious name attribute. When the page containing the shortcode is viewed by any user, the injected script executes in their browser. No additional authentication or network position is required beyond the contributor role.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Because the script is stored, every visitor to the affected page is at risk.

Mitigation

As of April 15, 2026, the plugin has been closed on the WordPress plugin repository pending a full review [1]. No patched version is available. Users are advised to remove the plugin immediately and consider alternative solutions.

References

Posts map

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Posts Mapreferences
Package: https://wordpress.org/plugins/posts-map

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)
Wordfence Blog · Apr 30, 2026

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000