CVE-2026-10089 Overview
CVE-2026-10089 is a Stored Cross-Site Scripting (XSS) vulnerability in the Insert Pages plugin for WordPress, affecting all versions up to and including 3.11.4. The flaw exists in the the_meta() function, which fails to escape custom field keys (meta key names) before rendering them in HTML output. Authenticated attackers with author-level access or higher can inject arbitrary JavaScript that executes when users view an inserted page rendered through the [insert page='ID' display='all'] shortcode. The vulnerability is categorized under [CWE-79] Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated attackers with author-level access can inject persistent JavaScript payloads that execute in the browser of any visitor to an affected page, enabling session hijacking, credential theft, and administrative account takeover.
Affected Products
- WordPress Insert Pages plugin versions up to and including 3.11.4
- WordPress sites using the [insert page] shortcode with display='all'
- WordPress installations allowing author-level or higher user registration
Discovery Timeline
- 2026-07-02 - CVE-2026-10089 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-10089
Vulnerability Analysis
The Insert Pages plugin provides a shortcode allowing content editors to embed one WordPress page inside another. When the shortcode is used with the display='all' parameter, the plugin renders the target page's custom fields (post meta) through the the_meta() function. The plugin applies wp_kses_post() sanitization to custom field values but never escapes the custom field keys themselves. Because meta keys can be created and controlled by any user with post editing privileges, an attacker with author-level access can craft a meta key containing HTML or JavaScript. When another user views a page that inserts this content, the browser parses and executes the injected script under the site's origin.
Root Cause
The root cause is insufficient output escaping in the the_meta() function within insert-pages.php. On lines 1786-1791, the $key variable is interpolated directly into the rendered HTML markup, and on line 1806 it is echoed to the response body without passing through esc_html(), esc_attr(), or any equivalent escaping routine. The developer sanitized the value but overlooked the key as a taint source, violating WordPress secure coding guidance that requires context-appropriate escaping at the point of output.
Attack Vector
Exploitation requires an authenticated user account with author-level privileges or higher. The attacker creates or edits a post, adds a custom field whose key contains an XSS payload such as an HTML <script> tag or an event handler attribute, and waits for the target post to be embedded elsewhere on the site through the Insert Pages shortcode with display='all'. When any visitor - including administrators - loads the embedding page, the payload executes in their browser session. The scope-changing nature of the vulnerability allows the attacker to reach victims with higher privileges than the attacker holds.
No public proof-of-concept code has been published for this vulnerability. Refer to the Wordfence Vulnerability Report and the WordPress plugin source for technical details on the affected code paths.
Detection Methods for CVE-2026-10089
Indicators of Compromise
- Custom field (post meta) keys containing HTML tags, JavaScript event handlers, or <script> fragments in the wp_postmeta database table.
- Unexpected outbound requests from browser sessions of administrators or editors after visiting pages rendered by the [insert page] shortcode.
- New administrator accounts, plugin installations, or theme file modifications following author-level account activity.
Detection Strategies
- Query the wp_postmeta table for meta_key values containing characters such as <, >, ", or javascript:, which should never appear in legitimate meta key names.
- Review web server access logs for requests to posts using the [insert page] shortcode combined with sessions belonging to author-level accounts editing meta keys.
- Correlate WordPress audit logs of post meta creation events with subsequent administrator page views of the same content.
Monitoring Recommendations
- Enable a WordPress activity logging plugin to capture custom field creation and modification events, including the actor and key name.
- Monitor Content Security Policy (CSP) violation reports for inline script execution on pages that embed other content via shortcodes.
- Alert on any privilege elevation, user role change, or plugin installation performed shortly after author-level meta edits.
How to Mitigate CVE-2026-10089
Immediate Actions Required
- Update the Insert Pages plugin to the version released in changeset 3579298, which introduces escaping for the $key variable.
- Audit all existing post meta keys for suspicious content and remove or sanitize any entries containing HTML or script syntax.
- Review author-level and contributor accounts, disabling any that are unused or unrecognized.
Patch Information
The vendor addressed the vulnerability in the release following version 3.11.4. The fix is tracked in WordPress plugin changeset 3579298 and adds escaping to the custom field key output within the_meta(). Site owners should apply the update through the WordPress plugin management interface or automated update mechanism as soon as possible.
Workarounds
- Deactivate the Insert Pages plugin until the patched version can be installed if immediate updating is not possible.
- Restrict use of the display='all' attribute in the [insert page] shortcode across site templates and content.
- Limit author-level and higher privileges to trusted users only, and require multi-factor authentication for all content editors.
# Configuration example: identify suspicious meta keys via WP-CLI
wp db query "SELECT post_id, meta_key FROM wp_postmeta WHERE meta_key REGEXP '[<>\"]|script|javascript:'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

