CVE-2026-1806 Overview
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the target parameter of the tourcms_doc_link shortcode. All versions up to and including 1.7.0 are affected due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that execute whenever a user accesses the compromised page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, or further compromise of WordPress site visitors.
Affected Products
- Tour & Activity Operator Plugin for TourCMS for WordPress versions up to and including 1.7.0
Discovery Timeline
- 2026-03-21 - CVE CVE-2026-1806 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-1806
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The specific variant is Stored XSS, which is particularly dangerous because the malicious payload persists in the database and executes each time a user views the affected page.
The vulnerability exists in the tourcms_doc_link shortcode handler within the tourcms-plugin.php file at line 1530. When processing the target attribute, the plugin fails to properly sanitize user-supplied input before rendering it in the HTML output. This allows an attacker to craft a malicious shortcode that embeds JavaScript code into the page.
Since the attack requires Contributor-level access, the threat actor must first obtain valid credentials. However, in multi-user WordPress environments or sites that allow contributor registrations, this barrier is relatively low. Once exploited, the stored script will execute in the browsers of all visitors to the affected page, including administrators.
Root Cause
The root cause is insufficient input sanitization and output escaping in the shortcode handler for tourcms_doc_link. The target parameter is processed and rendered without being passed through WordPress sanitization functions such as esc_attr() or wp_kses(). This allows HTML and JavaScript content to be stored in the database and subsequently rendered unescaped in the page output.
Attack Vector
The attack is network-based and requires low privileges (Contributor-level or above) with no user interaction needed for exploitation. An attacker with contributor access would create or edit a post containing a malicious tourcms_doc_link shortcode with crafted JavaScript in the target parameter. When any user—including administrators—views the page containing this shortcode, the malicious script executes in their browser context.
The vulnerability can be exploited to steal session cookies, redirect users to phishing sites, perform actions on behalf of the victim, or inject keyloggers to capture sensitive information entered on the page.
Detection Methods for CVE-2026-1806
Indicators of Compromise
- Unusual JavaScript code embedded within post content using the tourcms_doc_link shortcode
- Posts or pages containing target attributes with HTML event handlers or <script> tags
- Unexpected network requests originating from pages using the TourCMS plugin shortcodes
- Reports from users about suspicious behavior when visiting certain pages
Detection Strategies
- Review all posts and pages using the tourcms_doc_link shortcode for suspicious target parameter values
- Implement WordPress security plugins that scan for XSS patterns in post content
- Monitor web application firewall (WAF) logs for blocked XSS attempts targeting the plugin
- Audit contributor and author accounts for unauthorized or suspicious activity
Monitoring Recommendations
- Enable detailed logging for post creation and modification events in WordPress
- Configure Content Security Policy (CSP) headers to detect and report inline script execution violations
- Set up automated alerts for posts containing potential XSS payloads or suspicious shortcode usage
- Regularly audit user accounts with Contributor-level access or higher
How to Mitigate CVE-2026-1806
Immediate Actions Required
- Update the Tour & Activity Operator Plugin for TourCMS to the latest patched version as soon as one becomes available
- Audit all existing posts and pages using the tourcms_doc_link shortcode for malicious content
- Restrict Contributor-level access to trusted users only until the patch is applied
- Consider temporarily deactivating the plugin if the shortcode is not essential to site operations
Patch Information
At the time of publication, check the WordPress Plugin Code Reference for updates to the affected code. Additional vulnerability details are available in the Wordfence Vulnerability Analysis. Monitor the WordPress plugin repository for version updates beyond 1.7.0.
Workarounds
- Implement a Web Application Firewall (WAF) with rules to block XSS payloads in shortcode parameters
- Add Content Security Policy headers to prevent inline script execution: Content-Security-Policy: script-src 'self';
- Temporarily disable the tourcms_doc_link shortcode by adding a filter in your theme's functions.php to remove the shortcode registration
- Restrict user registration and limit Contributor-level access to only essential trusted users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
