CVE-2026-1095 Overview
CVE-2026-1095 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting the Canto Testimonials plugin for WordPress in all versions up to and including 1.0. The flaw exists in the handling of the fx shortcode attribute due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into pages. The injected scripts execute in the browser of any user who views the affected page, including administrators.
Critical Impact
Authenticated attackers with Contributor-level privileges can store malicious JavaScript that executes in administrator browsers, enabling session hijacking, privilege escalation, and arbitrary actions in the WordPress admin context.
Affected Products
- Canto Testimonials plugin for WordPress — all versions through 1.0
- WordPress installations exposing the fx shortcode attribute to Contributor or higher roles
- Sites permitting low-privilege content authoring with the plugin enabled
Discovery Timeline
- 2026-01-24 - CVE-2026-1095 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-1095
Vulnerability Analysis
The Canto Testimonials plugin registers a shortcode that accepts a user-controlled fx attribute. The plugin renders this attribute into page output without applying sufficient sanitization or output escaping. Because WordPress shortcodes are processed when a page is rendered, any HTML or JavaScript embedded in the fx attribute reaches the client browser as executable content.
The vulnerability requires authenticated access at the Contributor role or higher. Contributors can create and save posts containing shortcodes, which makes the attack surface broader than administrator-only flaws. When an editor or administrator previews or publishes the attacker's content, the script executes under their session.
Stored XSS in WordPress carries elevated risk because malicious payloads can target the wp-admin interface. Attackers commonly use such flaws to create rogue administrator accounts, exfiltrate nonces, or inject backdoors into theme and plugin files through the admin REST API.
Root Cause
The root cause is missing sanitization of the fx shortcode attribute before it is concatenated into HTML output. The plugin source at canto-testimonials.php line 132 reflects the attribute value directly without functions such as esc_attr() or wp_kses(). See the WordPress Plugin Source Code for the affected code path.
Attack Vector
Exploitation requires network access to a WordPress site and an authenticated session with at least Contributor privileges. An attacker creates or edits a post containing the Canto Testimonials shortcode and supplies a malicious payload through the fx attribute. When any subsequent user loads the rendered page, the injected JavaScript executes in their browser session. For technical details, refer to the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-1095
Indicators of Compromise
- Post or page content containing the Canto Testimonials shortcode with unusual fx attribute values that include HTML tags, <script> blocks, or JavaScript event handlers such as onerror and onload
- Unexpected administrator account creation, password resets, or plugin installations following Contributor account activity
- Outbound browser requests from admin sessions to attacker-controlled domains immediately after visiting Contributor-authored content
Detection Strategies
- Audit the WordPress wp_posts table for shortcode usage matching [canto-testimonials combined with suspicious attribute values containing angle brackets, quotes, or JavaScript keywords
- Review web server access logs for HTTP POST requests to /wp-admin/post.php and /wp-admin/admin-ajax.php from Contributor-role accounts that include payloads resembling XSS vectors
- Inspect rendered page output for unescaped script content originating from shortcode attributes
Monitoring Recommendations
- Enable WordPress audit logging for post creation, edits, and shortcode attribute changes by non-administrator users
- Monitor for new administrative accounts, role changes, and plugin or theme file modifications that follow Contributor-authored content publication
- Deploy a web application firewall with rules covering common XSS payloads on POST requests to WordPress editor endpoints
How to Mitigate CVE-2026-1095
Immediate Actions Required
- Disable or remove the Canto Testimonials plugin until a patched version is released, since all versions up to 1.0 are affected
- Restrict Contributor and Author role assignments to trusted users only, and review existing low-privilege accounts for unfamiliar entries
- Review all existing posts and pages for canto-testimonials shortcode usage and remove instances containing untrusted attribute values
Patch Information
No patched version is listed in the available CVE data. Monitor the Wordfence Vulnerability Analysis and the plugin's repository for a fixed release.
Workarounds
- Deactivate the Canto Testimonials plugin until an updated version with proper sanitization is available
- Use a web application firewall to block requests containing script tags or JavaScript event handlers in shortcode attributes submitted to WordPress editor endpoints
- Apply a Content Security Policy that disallows inline script execution to reduce the impact of stored XSS payloads
# Example: Deactivate the plugin via WP-CLI
wp plugin deactivate canto-testimonials
# Example: Search posts for the vulnerable shortcode usage
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[canto-testimonials%fx=%'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

