Description
The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via authenticated contributor-level access.
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Outgrow WordPress plugin and allows an attacker who has at least contributor privileges to inject malicious JavaScript into the 'id' attribute of the 'outgrow' shortcode. Because the plugin fails to sanitize and escape this input, the script is stored in the database and executed whenever a user views a page that contains the shortcode. This stored cross‑site scripting can lead to session hijacking, defacement, or delivery of malware to site visitors.

Affected Systems

Any WordPress installation that uses the Outgrow plugin in a version 2.1 or earlier is affected. The plugin is named 'Outgrow' and is distributed under the 'outgrow:Outgrow' vendor/package. All users who have contributor or higher roles on the site are at risk. Older WordPress sites or environments that still run these legacy plugin versions should consider them vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS base score of 6.4, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need authenticated access with contributor-level rights, which limits the potential attackers to site administrators or trusted contributors. Nevertheless, once the malicious payload is injected it affects all visitors to the affected pages, providing a high impact vector. Organizers should treat the risk as moderate but actionable.

Generated by OpenCVE AI on March 21, 2026 at 06:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Outgrow plugin to a version newer than 2.1, if an update exists.
  • If an upgrade is not immediately possible, block or remove the plugin from production until a patch is available.
  • Restrict contributor-level permissions or remove users who no longer require such access.
  • Regularly audit and monitor for unexpected content changes within pages that use the 'outgrow' shortcode, and consider implementing a web application firewall rule to block JavaScript injections.

Generated by OpenCVE AI on March 21, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Outgrow
Outgrow outgrow
Wordpress
Wordpress wordpress
Vendors & Products Outgrow
Outgrow outgrow
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Outgrow Outgrow
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:24.505Z

Reserved: 2026-02-04T14:26:10.210Z

Link: CVE-2026-1889

cve-icon Vulnrichment

Updated: 2026-03-23T18:08:25.220Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:55.703

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-1889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:28Z

Weaknesses