Description
The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from the Wavr plugin's `wave` shortcode not properly sanitizing and escaping user‑provided attributes. An authenticated user with contributor or higher privileges can embed arbitrary JavaScript that is stored and executed whenever a page containing the shortcode is accessed. This results in persistent cross‑site scripting, allowing the attacker to steal session cookies, inject tracking scripts, or perform other malicious actions on behalf of site visitors.

Affected Systems

Affected systems are WordPress installations that use the Wavr plugin version 0.2.6 or earlier. The vendor is lucascaro. All releases up to and including that version are impacted, as the source code shown in the references contains the vulnerable functions. Sites that still run any of these versions, regardless of their specific WordPress version, are susceptible.

Risk and Exploitability

The CVSS base score of 6.4 indicates a moderate impact, and the requirement of authenticated contributor access limits the attack surface to users with site privileges. Because there is no EPSS score and no listing in KEV, the likelihood of exploitation is uncertain, but the potential impact on confidentiality, integrity, and availability of all site visitors is significant. The vulnerability is therefore a moderate‑to‑high risk for sites where the shortcode is used and where contributors are trusted but could be compromised.

Generated by OpenCVE AI on April 8, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wavr plugin to a patched version (0.2.7 or later).
  • If an upgrade is not feasible, disable or remove the wave shortcode from content to prevent XSS.

Generated by OpenCVE AI on April 8, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Lucascaro
Lucascaro wavr
Wordpress
Wordpress wordpress
Vendors & Products Lucascaro
Lucascaro wavr
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Lucascaro Wavr
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:54.613Z

Reserved: 2026-04-03T16:32:34.231Z

Link: CVE-2026-5506

cve-icon Vulnrichment

Updated: 2026-04-08T13:54:08.524Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:23.203

Modified: 2026-04-24T18:15:28.940

Link: CVE-2026-5506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:36Z

Weaknesses