CVE-2026-7662

Vulnerability

The ePaperFlip Publisher plugin for WordPress versions up to and including 1 is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability exists because the publicationid attribute of the epaperflip_embed shortcode does not properly sanitize or escape user input, directly injecting it into inline JavaScript. [1]

Exploitation

An authenticated attacker with Contributor-level access or higher can exploit this vulnerability. The attacker needs to inject a malicious script into the publicationid attribute of the epaperflip_embed shortcode on a page. The script will then execute when another user accesses the compromised page.

Impact

Successful exploitation allows an attacker to inject arbitrary web scripts into pages. When a user visits a page containing the injected script, the script will execute in the context of that user's browser session. This can lead to various consequences such as session hijacking, defacement, or further malicious actions depending on the injected script.

Mitigation

The ePaperFlip Publisher plugin has been closed as of June 3, 2026, and is not available for download pending a full review. [2] No patched version has been released, and no workarounds are currently disclosed in the available references. The plugin is effectively end-of-life.