Description
The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in shortcode attributes
Action: Apply Patch
AI Analysis

Impact

The WordPress plugin ThemeRuby Multi Authors – Assign Multiple Writers to Posts is vulnerable to stored cross‑site scripting because the plugin does not sanitize or escape input in the 'before' and 'after' shortcode attributes. Users with Contributor level or higher can inject arbitrary JavaScript that will be executed whenever a page containing the shortcode is viewed, allowing an attacker to hijack sessions, deface pages or deliver phishing attacks through manipulated content.

Affected Systems

All versions of the plugin up to and including 1.0.0 installed on a WordPress site are affected. The flaw requires an authenticated user with Contributor‑or‑higher privileges who can edit or create posts containing this shortcode.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating moderate severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and no public exploits are known. Attackers would need legitimate Contributor access and would typically use the shortcode editor to inject malicious code, which would then run in the browsers of any visitor to the affected page.

Generated by OpenCVE AI on April 15, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeRuby Multi Authors plugin to the latest release that addresses the cross‑site scripting issue.
  • If an upgrade cannot be performed immediately, remove or disable the 'before' and 'after' shortcode attributes in all post content and replace them with sanitized or static alternatives.
  • Restrict Contributor users from editing or inserting the vulnerable shortcodes, or elevate them to a role with fewer capabilities until the plugin is patched.
  • Perform a manual or automated scan of post content to detect and remove any injected JavaScript that may have been stored prior to patching.

Generated by OpenCVE AI on April 15, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ThemeRuby Multi Authors <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:22:10.876Z

Reserved: 2026-01-16T21:41:04.094Z

Link: CVE-2026-1097

cve-icon Vulnrichment

Updated: 2026-01-26T18:18:19.808Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:09.003

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses