Description
The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patching
AI Analysis

Impact

The vulnerability resides in the Orange Confort+ accessibility toolbar plugin for WordPress, where the "style" attribute of the ocplus_button shortcode is not properly sanitized or escaped. Authenticated users with Contributor level or higher can embed arbitrary JavaScript in this attribute. When the malicious shortcode is stored in a post, page, or widget, any visitor who views that content will have the injected script executed in their browser. This can result in session hijacking, request forgery, or defacement.

Affected Systems

All versions of the plugin, up to and including 0.7, are affected. The vendor responsible is ravanh, and the product is the Orange Confort+ accessibility toolbar add‑on for WordPress. Sites that have installed these versions and allow contributors or higher to edit content are exposed.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not included in the CISA KEV list. An attacker needs to compromise a WordPress account with sufficient privileges and inject the malicious shortcode into stored content. Once deployed, the attacker can compromise the browsing session of any user who loads the affected page.

Generated by OpenCVE AI on April 15, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Orange Confort+ accessibility toolbar to the latest version, which removes the unsanitized "style" parameter from the ocplus_button shortcode.
  • If an upgrade cannot be performed immediately, temporarily disable or remove the ocplus_button shortcode from site content or the plugin entirely if accessibility features are not critically required.
  • Deploy a web application firewall or configure existing WAF rules to detect and block suspicious JavaScript injection in page content to mitigate any residual risk.

Generated by OpenCVE AI on April 15, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ravanh
Ravanh orange Comfort+ Accessibility Toolbar For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Ravanh
Ravanh orange Comfort+ Accessibility Toolbar For Wordpress
Wordpress
Wordpress wordpress

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Orange Confort+ accessibility toolbar for WordPress <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ravanh Orange Comfort+ Accessibility Toolbar For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:33.474Z

Reserved: 2026-02-03T13:53:41.958Z

Link: CVE-2026-1808

cve-icon Vulnrichment

Updated: 2026-02-06T19:23:51.294Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T07:16:11.923

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses