Description
The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-05
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP‑Clippy plugin suffers from insufficient sanitization of shortcode attributes, allowing a stored cross‑site scripting (XSS) flaw. An authenticated user with contributor or higher privileges can inject arbitrary JavaScript into any page that uses the clippy shortcode. When another visitor loads that page, the malicious script runs in their browser, potentially compromising session cookies, stealing credentials, or defacing content.

Affected Systems

WordPress sites running the WP‑Clippy plugin, versions 1.0.0 and earlier.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in CISA KEV. Because an attacker must be authenticated at a contributor level, the public exposure is limited, but once the malicious content is stored it affects all users who view the impacted page. The risk remains significant for sites that allow contributor‑level users to submit or edit shortcode content.

Generated by OpenCVE AI on May 5, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP‑Clippy to a version that includes input sanitization fixes
  • Remove or replace any pages containing malicious shortcode attributes
  • Audit site content for injected scripts and clean them
  • Limit contributor privileges to prevent insertion of malicious attributes if a fix is not available

Generated by OpenCVE AI on May 5, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T02:26:58.744Z

Reserved: 2026-04-03T16:08:43.449Z

Link: CVE-2026-5505

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T03:16:00.100

Modified: 2026-05-05T03:16:00.100

Link: CVE-2026-5505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T04:00:13Z

Weaknesses