Description
The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to 'admin_init' and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the save() function uses stripslashes() which removes WordPress's magic quotes protection. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in theme files that will execute whenever a user accesses a page containing the diagnosis form shortcode.
Published: 2026-05-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin suffers from a stored cross‑site scripting flaw that allows authenticated WordPress users, including those with subscriber privileges or higher, to inject arbitrary JavaScript into theme files via the unconstrained ‘js’ parameter. The vulnerability arises because the themeFunc() function processes theme update requests without validating the user’s capability and the input is not sanitized or encoded. As a result, a malicious script saved by an attacker will execute whenever a page that includes the diagnosis form shortcode is rendered, potentially compromising the sessions of all visitors and allowing data theft or further attacks. The code also removes WordPress’s magic quotes protection by using stripslashes(), further enabling the persistence of injected payloads.

Affected Systems

Version 1.4.16 or earlier of the Diagnosis Generator plugin supplied by olivesystem. The plugin is a WordPress add‑on; the affected component is the theme functionality that accepts the ‘js’ parameter during an update operation. No other versions or product variants are listed as affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. EPSS data is unavailable, and the exploit is not listed in CISA’s KEV catalog. The attack vector is authenticated; an attacker only needs to log in as a subscriber or higher to persist malicious script code. If the site’s role hierarchy allows subscribers to update themes, the vulnerability is fully exploitable. An adversary could then coerce other site visitors into executing the script, enabling cross‑site request forgery, session hijacking, or defacement. Because the flaw is stored, the impact persists across sessions until the payload is removed or the plugin is upgraded.

Generated by OpenCVE AI on May 20, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Diagnosis Generator plugin to the latest stable release that removes the ‘js’ parameter vulnerability.
  • If an upgrade is not immediately possible, restrict the capability to update themes for subscriber users by using a role‑editor plugin or custom code to revoke the ‘edit_theme_options’ capability from non‑administrator roles.
  • As an interim measure, disable or delete the Diagnosis Generator plugin so that the vulnerable code paths are no longer active while a fix is applied.

Generated by OpenCVE AI on May 20, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Olivesystem
Olivesystem 診断ジェネレータ作成プラグイン
Wordpress
Wordpress wordpress
Vendors & Products Olivesystem
Olivesystem 診断ジェネレータ作成プラグイン
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to 'admin_init' and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the save() function uses stripslashes() which removes WordPress's magic quotes protection. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in theme files that will execute whenever a user accesses a page containing the diagnosis form shortcode.
Title 診断ジェネレータ作成プラグイン <= 1.4.16 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'js' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Olivesystem 診断ジェネレータ作成プラグイン
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T13:03:00.373Z

Reserved: 2026-03-31T20:22:03.814Z

Link: CVE-2026-5293

cve-icon Vulnrichment

Updated: 2026-05-20T13:02:56.973Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:37.053

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-5293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:19Z

Weaknesses