Description
The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP‑Clippy plugin suffers from insufficient sanitization of shortcode attributes, allowing a stored cross‑site scripting (XSS) flaw. An authenticated user with contributor or higher privileges can inject arbitrary JavaScript into any page that uses the clippy shortcode. When another visitor loads that page, the malicious script runs in their browser, potentially compromising session cookies, stealing credentials, or defacing content.

Affected Systems

WordPress sites running the WP‑Clippy plugin, versions 1.0.0 and earlier.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in CISA KEV. Because an attacker must be authenticated at a contributor level, the public exposure is limited, but once the malicious content is stored it affects all users who view the impacted page. The risk remains significant for sites that allow contributor‑level users to submit or edit shortcode content.

Generated by OpenCVE AI on May 5, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP‑Clippy to a version that includes input sanitization fixes
  • Remove or replace any pages containing malicious shortcode attributes
  • Audit site content for injected scripts and clean them
  • Limit contributor privileges to prevent insertion of malicious attributes if a fix is not available

Generated by OpenCVE AI on May 5, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bitacre
Bitacre wp-clippy
Wordpress
Wordpress wordpress
Vendors & Products Bitacre
Bitacre wp-clippy
Wordpress
Wordpress wordpress

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Bitacre Wp-clippy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-06T12:29:29.592Z

Reserved: 2026-04-03T16:08:43.449Z

Link: CVE-2026-5505

cve-icon Vulnrichment

Updated: 2026-05-06T12:29:26.300Z

cve-icon NVD

Status : Deferred

Published: 2026-05-05T03:16:00.100

Modified: 2026-05-05T19:09:32.000

Link: CVE-2026-5505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:22:03Z

Weaknesses