Description
The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation (line 489: '"'.$key.'": "'.$value.'"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The ITERAS WordPress plugin contains a stored cross‑site scripting flaw that allows an authenticated user with Contributor or higher privileges to inject JavaScript into web pages. The vulnerability resides in the combine_attributes() method, which concatenates shortcode attribute values directly into a JavaScript object inside a <script> tag without proper escaping. By inserting a double‑quote into a shortcode attribute, an attacker can break out of the string context and inject arbitrary script that will run whenever a page containing the malicious shortcode is rendered.

Affected Systems

WordPress sites using the ITERAS plugin version 1.8.2 or earlier are affected. The plugin is identified as iteras:ITERAS by the CNA and can be found under all releases up to and including 1.8.2.

Risk and Exploitability

The CVSS v3 score of 6.4 classifies this vulnerability as medium severity. The EPSS probability is reported as < 1 %, indicating a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to authenticate to the WordPress installation with at least Contributor permissions, which is a non‑trivial but realistic prerequisite for users who contribute content. Once an attacker injects malicious script, any visitor who views the affected page will execute the script in their browser, enabling cookie theft, session hijacking, or delivery of additional malware.

Generated by OpenCVE AI on April 28, 2026 at 14:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of ITERAS (1.8.3 or newer) to remove the vulnerable combine_attributes() implementation.
  • If an immediate upgrade is not feasible, restrict the plugin’s usage to administrator accounts only and revoke Contributor and lower roles from users who do not need to edit the plugin’s shortcode attributes.
  • Disable or sanitize shortcode processing by removing or configuring the iterate_shortcode hooks until a patched version is available.

Generated by OpenCVE AI on April 28, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Iteras
Iteras iteras
Wordpress
Wordpress wordpress
Vendors & Products Iteras
Iteras iteras
Wordpress
Wordpress wordpress

Fri, 24 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation (line 489: '"'.$key.'": "'.$value.'"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ITERAS <= 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Iteras Iteras
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-24T12:36:35.899Z

Reserved: 2026-03-12T20:02:44.935Z

Link: CVE-2026-4078

cve-icon Vulnrichment

Updated: 2026-04-24T12:36:32.248Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T08:16:30.373

Modified: 2026-04-24T14:38:26.740

Link: CVE-2026-4078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses