CVE-2026-1888 Overview
The Docus – YouTube Video Playlist plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the docusplaylist shortcode. All versions up to and including 1.0.6 are affected due to insufficient input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can persistently inject malicious JavaScript that executes in the browsers of all users viewing affected pages, potentially leading to session hijacking, credential theft, or further site compromise.
Affected Products
- Docus – YouTube Video Playlist plugin for WordPress versions ≤ 1.0.6
- WordPress installations with the Docus plugin enabled
- Sites allowing Contributor-level or higher user access
Discovery Timeline
- February 6, 2026 - CVE-2026-1888 published to NVD
- February 6, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1888
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) exists within the shortcode processing functionality of the Docus plugin. The vulnerability is classified as network-accessible, meaning attackers can exploit it remotely through the WordPress interface. The scope is changed, indicating that the vulnerable component impacts resources beyond its security scope, affecting the browser context of users who view compromised pages.
The attack requires low privileges (Contributor-level access) and no user interaction for exploitation. When successfully exploited, the vulnerability impacts both confidentiality and integrity at a low level, as injected scripts can access sensitive page content and modify displayed information. There is no direct availability impact.
Root Cause
The root cause of this vulnerability lies in the class.shortcode.php file within the Docus plugin. The shortcode handler fails to properly sanitize user-supplied attributes before rendering them in the HTML output. Specifically, the code at line 55 of the shortcode class does not implement adequate input validation or output escaping, allowing malicious JavaScript code embedded in shortcode attributes to be stored in the database and later executed in users' browsers.
Attack Vector
The attack is conducted over the network through the WordPress content management system. An attacker with at least Contributor privileges can create or edit a post containing the docusplaylist shortcode with malicious attribute values. When the post is saved, the malicious payload is stored in the WordPress database. Subsequently, when any user (including administrators) views the page containing the shortcode, the injected script executes in their browser session.
This stored nature makes the vulnerability particularly dangerous as it persists until manually removed and affects all users who view the compromised content. Attackers could leverage this to steal session cookies, redirect users to phishing sites, deface content, or escalate privileges by targeting administrator sessions.
Detection Methods for CVE-2026-1888
Indicators of Compromise
- Unusual JavaScript code in posts or pages containing docusplaylist shortcodes
- Unexpected script tags or event handlers within shortcode attribute values
- Database entries containing suspicious payloads in post content with the affected shortcode
- Reports from users experiencing redirects, pop-ups, or unexpected behavior on specific pages
Detection Strategies
- Review WordPress posts and pages containing docusplaylist shortcodes for suspicious attribute values
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor web application firewall (WAF) logs for XSS payloads targeting shortcode parameters
- Audit user accounts with Contributor or higher privileges for suspicious activity
Monitoring Recommendations
- Enable detailed WordPress audit logging to track post modifications by Contributor-level users
- Configure alerts for posts containing the docusplaylist shortcode with unusual characters or script-related content
- Regularly scan database content for common XSS payloads such as <script>, javascript:, and event handlers
- Monitor for anomalous network requests originating from users viewing WordPress content
How to Mitigate CVE-2026-1888
Immediate Actions Required
- Update the Docus – YouTube Video Playlist plugin to the latest patched version immediately
- Review existing posts and pages using the docusplaylist shortcode for potentially malicious content
- Audit Contributor and Author accounts to ensure only trusted users have these permissions
- Consider temporarily disabling the plugin until the update can be applied
Patch Information
A patch has been released to address this vulnerability. The WordPress Plugin Changeset shows the security fix implemented in the updated version. Administrators should update to the latest version of the Docus plugin through the WordPress plugin repository. For additional technical analysis, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Restrict Contributor-level access to only trusted users until the plugin is updated
- Implement a Web Application Firewall (WAF) rule to filter XSS payloads in shortcode attributes
- Temporarily remove or disable the Docus plugin if it is not critical to site functionality
- Use WordPress content filtering plugins to sanitize shortcode output as an interim measure
# WordPress CLI command to check plugin version
wp plugin list --name=docus --fields=name,version,update_available
# Update the plugin to the latest version
wp plugin update docus
# Alternatively, deactivate the plugin until patched
wp plugin deactivate docus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
