Description
The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The BuddyHolis ListSearch plugin for WordPress allows an attacker who can authenticate to the site with a contributor or higher role to inject arbitrary JavaScript through the placeholder attribute of the listsearch shortcode. This stored XSS flaw means that any user viewing a page that contains the injected shortcode will execute the malicious script, potentially compromising user credentials, session information, or allowing further attacks on the affected WordPress installation. The vulnerability stems directly from insufficient input validation and inadequate output escaping, as identified by CWE‑79, and represents a moderate severity flaw with a CVSS score of 6.4.

Affected Systems

All builds of BuddyHolis ListSearch up to and including version 1.1 are impacted; the plugin is distributed under the digiblogger:BuddyHolis ListSearch package. Any WordPress installation that has this plugin active and one of the affected releases installed is vulnerable, regardless of the WordPress core version.

Risk and Exploitability

The attack requires prior authentication to the site with contributor-level access or higher, which is often granted to content editors or developers. With this prerequisite satisfied, an attacker can place a crafted placeholder attribute that contains malicious JavaScript. The exploit is straightforward once the role is obtained, as the plugin stores the attribute value in the database without sanitization. The probability of exploitation, according to EPSS, is below 1%, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the moderate CVSS score and potential for widespread user impact recommend treating this flaw with high priority.

Generated by OpenCVE AI on April 15, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BuddyHolis ListSearch to the latest version that removes the vulnerable placeholder attribute or implements proper sanitization.
  • If no update is available, disable the listsearch shortcode by removing it from templates or hiding it from editors.
  • Apply a Web Application Firewall that blocks script injection in shortcode attributes.
  • Restrict contributor and lower roles from editing content that includes the listsearch shortcode, limiting editing capabilities to administrators only.

Generated by OpenCVE AI on April 15, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Digiblogger
Digiblogger buddyholis Listsearch
Wordpress
Wordpress wordpress
Vendors & Products Digiblogger
Digiblogger buddyholis Listsearch
Wordpress
Wordpress wordpress

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Digiblogger Buddyholis Listsearch
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:15.525Z

Reserved: 2026-02-03T18:32:47.519Z

Link: CVE-2026-1853

cve-icon Vulnrichment

Updated: 2026-02-11T15:37:10.359Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T09:15:52.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses