Description
The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the 'maximum-num-years' attribute value is read directly from shortcode attributes and interpolated into a double-quoted HTML attribute without any escaping (no esc_attr(), htmlspecialchars(), or similar). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Investi WordPress plugin fails to sanitize the maximum‑num‑years attribute of its investi‑announcements‑accordion shortcode, allowing an authenticated Contributor or higher user to embed arbitrary JavaScript. The inserted script is stored in the database and delivered to any visitor who views a page containing the shortcode, potentially stealing credentials, defacing content, or performing further malicious actions on behalf of the user. This flaw corresponds to CWE‑79, a classic stored XSS weakness.

Affected Systems

Any WordPress site that installs the Investi plugin version 1.0.26 or earlier is affected. The vulnerability is present in all releases through 1.0.26, regardless of the WordPress core version.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating moderate severity. EPSS data is not published, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only Contributor‑level login, which is a common role on many sites. Once an attacker supplies a malicious maximum‑num‑years value, the payload is stored in the database and will execute for any user who loads the affected page, making the attack straightforward and low‑cost for an authenticated user.

Generated by OpenCVE AI on April 8, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Investi to the latest version (1.0.27 or later).
  • If an upgrade is not possible, remove or disable the investi‑announcements‑accordion shortcode from site content.
  • Restrict Contributor role or revoke it from untrusted users.
  • Apply site‑wide content filtering or CSP headers to mitigate potential script execution.

Generated by OpenCVE AI on April 8, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Investi
Investi investi
Wordpress
Wordpress wordpress
Vendors & Products Investi
Investi investi
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the 'maximum-num-years' attribute value is read directly from shortcode attributes and interpolated into a double-quoted HTML attribute without any escaping (no esc_attr(), htmlspecialchars(), or similar). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Investi Investi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:34.895Z

Reserved: 2026-03-05T13:47:35.910Z

Link: CVE-2026-3600

cve-icon Vulnrichment

Updated: 2026-04-08T14:21:09.773Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T05:16:05.960

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-3600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:58Z

Weaknesses