Description
The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the 'slug' attribute (authenticated contributor+ required)
Action: Apply Patch
AI Analysis

Impact

The Post Flagger plugin contains a stored cross‑site scripting flaw in the 'flag' shortcode. The 'slug' attribute is not properly sanitized, allowing an attacker with at least contributor privileges to insert arbitrary HTML or JavaScript into post or page content. When a visitor accesses the page, the injected script runs in their browser, potentially exposing the site to further exploitation or user defacement.

Affected Systems

WordPress sites that use the Post Flagger plugin from nosoycesaros version 1.1 or earlier are affected. The vulnerability exists in all released versions up to 1.1 and is tied to the code that processes the shortcode in post-flagger.php. Users who have contributed content through the plugin are able to inject the malicious payload.

Risk and Exploitability

The CVSS base score of 6.4 indicates a moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog, suggesting that there is limited or no known exploitation in the wild at this time. Exploitation requires only contributor access, which is commonly granted on multi‑author WordPress installations. The overall risk remains moderate, but because the impact affects every visitor to affected pages, sites with high traffic or sensitive content should treat it as a priority concern.

Generated by OpenCVE AI on March 21, 2026 at 06:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Post Flagger plugin to the latest released version if a patch is available.
  • If no patched version exists, disable or remove the plugin to eliminate the vulnerability.
  • Audit all posts, pages, and content that includes the flag shortcode and remove any injected scripts.
  • Review the permissions granted to contributors and restrict contributor access to trusted users only.

Generated by OpenCVE AI on March 21, 2026 at 06:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Nosoycesaros
Nosoycesaros post Flagger
Wordpress
Wordpress wordpress
Vendors & Products Nosoycesaros
Nosoycesaros post Flagger
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Nosoycesaros Post Flagger
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:08.104Z

Reserved: 2026-02-03T18:33:51.270Z

Link: CVE-2026-1854

cve-icon Vulnrichment

Updated: 2026-03-23T16:39:31.860Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:55.337

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-1854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:34Z

Weaknesses