Description
The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (Contributor+)
Action: Patch
AI Analysis

Impact

The Docus – YouTube Video Playlist plugin contains a flaw that lets an authenticated user with Contributor or higher access store arbitrary JavaScript via the docusplaylist shortcode. Because the plugin does not sanitize or escape the attributes, the malicious script is saved in the database and is rendered whenever the page is viewed, allowing the attacker to run code in the context of any visitor. This can lead to session hijacking, credential theft, defacement, or redirection.

Affected Systems

All WordPress sites that have installed the Docus – YouTube Video Playlist plugin version 1.0.6 or earlier are affected. The vulnerability is present in every earlier release, and the issue exists regardless of the host operating system or WordPress core version. No additional dependencies are listed beyond the plugin itself.

Risk and Exploitability

The CVSS score is 6.4, indicating a medium severity vulnerability. The EPSS score is less than 1 %, suggesting low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authentication as a Contributor or higher, and an attacker must place a malicious shortcode in a post or page that is subsequently accessed by other users. Because the payload is executed in the browser, the danger is confined to the web context, but any compromised session can enable further compromise.

Generated by OpenCVE AI on April 15, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Docus – YouTube Video Playlist plugin to a version newer than 1.0.6, which removes the stored‑XSS flaw.
  • If an immediate upgrade is not possible, restrict the Contributor role from adding content with the docusplaylist shortcode, or remove the plugin entirely from the site until a patch is available.
  • As a temporary mitigation, deploy a content‑security‑policy header that blocks inline scripts or enforce a policy that only allows scripts from trusted origins, reducing the impact of any forged injections.

Generated by OpenCVE AI on April 15, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Docus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:14.375Z

Reserved: 2026-02-04T14:25:10.638Z

Link: CVE-2026-1888

cve-icon Vulnrichment

Updated: 2026-02-06T19:23:27.288Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T07:16:12.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:30:13Z

Weaknesses