Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1755

CVE-2026-1755: Menu Icons by ThemeIsle XSS Vulnerability

CVE-2026-1755 is a stored cross-site scripting flaw in the Menu Icons by ThemeIsle WordPress plugin that enables authenticated attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-1755 Overview

CVE-2026-1755 is a Stored Cross-Site Scripting (XSS) vulnerability in the Menu Icons by ThemeIsle plugin for WordPress. All versions up to and including 0.13.20 are affected. The plugin fails to sanitize input and escape output for the _wp_attachment_image_alt post meta value, allowing script injection through menu icon image alt text.

Authenticated attackers with Author-level access or higher can inject arbitrary JavaScript that executes when any visitor or administrator loads an affected page. The flaw is tracked as CWE-79: Improper Neutralization of Input During Web Page Generation.

Critical Impact

Authenticated contributors can plant persistent JavaScript payloads that execute in the browser of any visitor, enabling session theft, administrator account takeover, and arbitrary actions on behalf of higher-privileged users.

Affected Products

  • Menu Icons by ThemeIsle plugin for WordPress, versions up to and including 0.13.20
  • WordPress sites that grant Author-level or higher roles to untrusted users
  • Public-facing WordPress pages rendering menus produced by the plugin

Discovery Timeline

  • 2026-02-03 - CVE-2026-1755 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-1755

Vulnerability Analysis

The Menu Icons by ThemeIsle plugin renders menu icons that can include image attachments. When a menu uses an image icon, the plugin retrieves the attachment's _wp_attachment_image_alt post meta value and emits it as part of the rendered HTML markup on the front end.

The vulnerable rendering occurs in includes/front.php around line 497, where the alt text is concatenated into output without sufficient sanitization or escaping. See the vulnerable source in the WordPress plugin repository for the exact rendering path.

Because the payload is stored in post meta and rendered every time the page loads, the XSS is persistent. Author-level users in WordPress can upload media and set arbitrary alt text, satisfying the attacker prerequisites. The Wordfence vulnerability analysis documents the issue.

Root Cause

The root cause is missing output escaping when the plugin writes the _wp_attachment_image_alt meta value into HTML attributes. WordPress does not sanitize alt text on input beyond basic string handling, so plugins must escape the value at output using functions such as esc_attr(). The plugin failed to do so before the fix in changeset 3452685.

Attack Vector

Exploitation requires an authenticated WordPress account with the Author role or higher. The attacker uploads an image, sets the alt text to a payload that breaks out of the HTML attribute context (for example, by closing the attribute and inserting an event handler such as onerror), and assigns that image as a menu icon. When any visitor loads a page rendering that menu, the injected script executes in their browser session. No user interaction beyond normal page navigation is required for the payload to fire.

No verified public proof-of-concept code is referenced in the advisory. The vulnerability mechanism is described in prose because no sanitized exploit samples are available from authoritative sources.

Detection Methods for CVE-2026-1755

Indicators of Compromise

  • Unexpected <script> tags, onerror, onload, or onclick attributes appearing in rendered menu HTML on the front end
  • _wp_attachment_image_alt post meta values in the wp_postmeta table containing HTML special characters such as ", <, >, or javascript:
  • New media library uploads from Author-level accounts immediately followed by menu edits
  • Outbound browser requests from site visitors to attacker-controlled domains referenced from menu pages

Detection Strategies

  • Query wp_postmeta for meta_key = '_wp_attachment_image_alt' and inspect values for HTML tags, event handlers, or encoded payloads
  • Audit the plugin version against wp-content/plugins/menu-icons/menu-icons.php to confirm whether the installation is at or below 0.13.20
  • Review WordPress audit logs for Author-level accounts performing media uploads combined with menu modifications
  • Monitor web application firewall (WAF) logs for requests to admin-ajax.php and /wp-admin/post.php carrying script-like payloads in alt-text fields

Monitoring Recommendations

  • Enable WordPress security logging plugins to record post meta changes and role-based actions
  • Forward web server access logs and WordPress audit data to a centralized SIEM for correlation across user sessions and content modifications
  • Alert on new or modified menu items containing media references whose alt text fails strict allowlist validation

How to Mitigate CVE-2026-1755

Immediate Actions Required

  • Update the Menu Icons by ThemeIsle plugin to a version higher than 0.13.20 that includes the fix from changeset 3452685
  • Audit all WordPress accounts with Author role or higher and revoke access for unnecessary users
  • Inspect existing _wp_attachment_image_alt values and remove any entries containing HTML or scripting constructs
  • Rotate session cookies and administrator credentials if any suspicious alt-text entries are discovered

Patch Information

The vendor remediated the issue in changeset 3452685, which adds proper escaping to the affected output in includes/front.php. Site administrators should upgrade through the WordPress plugin dashboard or by replacing the plugin files with the fixed release. Confirm the deployed version is greater than 0.13.20 after upgrade.

Workarounds

  • Temporarily deactivate the Menu Icons by ThemeIsle plugin until the update is applied
  • Restrict content creation to trusted users by removing Author and higher roles from non-essential accounts
  • Deploy a WAF rule to block requests submitting HTML or script characters to the attachment alt-text field
  • Apply Content Security Policy (CSP) headers that disallow inline scripts to reduce the impact of stored XSS payloads
bash
# Example: identify potentially malicious alt-text entries via WP-CLI
wp db query "SELECT post_id, meta_value FROM wp_postmeta \
  WHERE meta_key = '_wp_attachment_image_alt' \
  AND (meta_value LIKE '%<%' OR meta_value LIKE '%javascript:%' OR meta_value LIKE '%onerror=%');"

# Update the vulnerable plugin
wp plugin update menu-icons
wp plugin get menu-icons --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne