Description
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.
Published: 2026-05-05
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient sanitization of the 'wrapper' attribute in the [futureaction] shortcode. The plugin incorrectly uses esc_html() to escape user input, but the value is later inserted as an HTML tag name via sprintf. This allows attackers to inject event handler attributes by inserting a space in the wrapper value. An authenticated administrator can use the shortcode to place arbitrary script in a post, and if the plugin is configured to expose this to lower‑privileged users, contributors can also exploit it. The result is stored Cross‑Site Scripting, enabling the attacker to run malicious JavaScript whenever any site visitor views the affected content.

Affected Systems

This flaw affects the PublishPress Schedule Post Changes With PublishPress Future plugin for WordPress. All plugin releases up to and including version 4.10.0 are vulnerable. The issue manifests when the [futureaction] shortcode is used in content, posts, or widgets.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, and the exploit requires authenticated access with at least administrator privileges. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. Exploitation is straightforward for administrators: they can edit a post, add the shortcode with a malicious wrapper value, and save it. The injected script will execute for any visitor to that page, leading to potential credential theft, session hijacking, or defacement. The limited attack vector (requires authentication and plugin use) reduces the likelihood of remote exploitation but does not eliminate risk for organizations with active contributors or administrators who may inadvertently misuse the shortcode.

Generated by OpenCVE AI on May 5, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 4.10.0.
  • Remove or disable the [futureaction] shortcode from content or restrict its usage to trusted users.
  • Deploy a Web Application Firewall or enforce a strong Content Security Policy to block injected scripts.

Generated by OpenCVE AI on May 5, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.
Title Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T02:26:56.378Z

Reserved: 2026-03-31T15:17:50.677Z

Link: CVE-2026-5247

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T03:15:59.930

Modified: 2026-05-05T03:15:59.930

Link: CVE-2026-5247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T03:30:14Z

Weaknesses