Description
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting that allows authenticated contributors or higher to inject and execute arbitrary JavaScript on target pages
Action: Upgrade Plugin
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw (CWE‑79) in the Posts map plugin, caused by insufficient sanitization of the "name" shortcode attribute. An attacker who holds contributor or higher privileges can submit content containing malicious scripts that are persisted and rendered on page load, leading to code execution in the browsers of all users who view the affected page.

Affected Systems

The issue affects the Posts map WordPress plugin developed by lucdecri, with all releases up to and including version 0.1.3. Users who have installed these or earlier versions are at risk if they grant contributor or higher access to the site.

Risk and Exploitability

The vulnerability scores a CVSS of 6.4, indicating moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting limited public exploitation data. Nevertheless, exploitation requires only authenticated access with contributor or higher role, which is commonly assigned for content management. An attacker can exploit the flaw by creating or editing a post that uses the "name" attribute, causing the stored script to run whenever any user visits the page. Because the payload runs in the user's browser, it can lead to theft of session cookies, defacement, or further compromise of the victim's system.

Generated by OpenCVE AI on April 22, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Posts map plugin to a version newer than 0.1.3 if an update is available
  • If an update cannot be applied, disable or remove the plugin to eliminate the attack vector
  • Restrict contributor or higher role users from using the plugin or grant permissions through a role that excludes the "name" attribute usage

Generated by OpenCVE AI on April 22, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Lucdecri
Lucdecri posts Map
Wordpress
Wordpress wordpress
Vendors & Products Lucdecri
Lucdecri posts Map
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Lucdecri Posts Map
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T13:51:37.615Z

Reserved: 2026-04-13T16:12:39.669Z

Link: CVE-2026-6236

cve-icon Vulnrichment

Updated: 2026-04-22T13:51:28.167Z

cve-icon NVD

Status : Received

Published: 2026-04-22T09:16:26.400

Modified: 2026-04-22T09:16:26.400

Link: CVE-2026-6236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:43:51Z

Weaknesses