CVE-2026-5247 Overview
CVE-2026-5247 is a Stored Cross-Site Scripting (XSS) vulnerability in the Schedule Post Changes With PublishPress Future plugin for WordPress. The flaw affects all versions up to and including 4.10.0. The vulnerability resides in the wrapper attribute of the [futureaction] shortcode, where insufficient input sanitization allows attribute injection. Authenticated attackers with administrator-level access can inject arbitrary JavaScript that executes when users visit affected pages. Administrators can also expose the shortcode functionality to lower-privileged users, extending the abuse surface to contributors. The issue is tracked under CWE-79.
Critical Impact
Authenticated users can inject persistent JavaScript into WordPress pages, enabling session theft, content manipulation, and privilege escalation against site visitors and administrators.
Affected Products
- Schedule Post Changes With PublishPress Future plugin for WordPress
- All plugin versions through 4.10.0
- WordPress sites where contributors or other lower-privileged roles are granted shortcode usage
Discovery Timeline
- 2026-05-05 - CVE-2026-5247 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-5247
Vulnerability Analysis
The vulnerability is a Stored Cross-Site Scripting issue in the [futureaction] shortcode handler. The plugin accepts a wrapper attribute that specifies the HTML tag used to wrap the shortcode output. The handler passes this attribute through esc_html() before inserting it into a sprintf() call that builds the resulting HTML element.
esc_html() only encodes HTML entities such as <, >, &, and quotes. It does not strip whitespace or block additional attribute syntax embedded inside the value. When the sanitized value is subsequently used as an HTML tag name, an attacker can supply a tag name followed by a space and arbitrary event handler attributes. The browser parses the injected handlers as part of the opening tag and executes the supplied JavaScript on page load.
The payload is stored in post content as part of the shortcode and renders for every visitor of the affected page. This makes the impact persistent rather than reflected.
Root Cause
The root cause is the use of an output-encoding function (esc_html()) for context-incorrect sanitization. HTML tag names require strict allow-list validation. Allowing attacker-controlled whitespace and characters into a position that the parser treats as the tag and attribute area produces attribute injection. See the vulnerable code path in ShortcodeController.php (line 173).
Attack Vector
An authenticated administrator authors a post or page containing a [futureaction] shortcode whose wrapper attribute carries a tag name followed by a space and an event handler such as onmouseover or onfocus. When any user visits the rendered page, the browser fires the injected handler in the victim's session context. Because administrators can delegate shortcode use, contributors with lower privileges can also stage payloads in their submissions, broadening the attack surface.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-5247
Indicators of Compromise
- Post or page content containing [futureaction] shortcodes where the wrapper attribute includes whitespace followed by on* event handler names such as onclick, onerror, onmouseover, or onload.
- Database wp_posts.post_content rows with wrapper= values containing characters beyond standard HTML tag names (letters and digits only).
- Unexpected outbound requests from visitor browsers to attacker-controlled domains shortly after rendering pages that embed the shortcode.
Detection Strategies
- Audit all stored shortcode usage by querying the WordPress database for [futureaction substrings and inspecting the wrapper attribute values.
- Deploy a Web Application Firewall (WAF) rule that blocks requests submitting wrapper attributes containing whitespace or on event handler patterns.
- Review WordPress audit logs for post edits authored by administrator or contributor accounts that introduce or modify [futureaction] shortcodes.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture inline script execution attempts in rendered pages.
- Monitor administrator and contributor account activity for anomalous post creation patterns or privilege changes.
- Track plugin version inventory across managed WordPress sites to identify hosts still running PublishPress Future 4.10.0 or earlier.
How to Mitigate CVE-2026-5247
Immediate Actions Required
- Update the Schedule Post Changes With PublishPress Future plugin to a version newer than 4.10.0 as soon as a fixed release is available from the PublishPress Future GitHub releases page.
- Review and remove any existing [futureaction] shortcodes whose wrapper attribute contains whitespace or non-alphanumeric characters.
- Restrict shortcode usage to trusted administrator accounts and revoke shortcode privileges previously granted to contributors or authors.
Patch Information
The vendor distributes fixes through the WordPress plugin repository and the PublishPress Future GitHub releases page. Apply the latest patched release that addresses the wrapper attribute sanitization in ShortcodeController.php. After patching, verify the fix by inspecting the controller logic against the trunk source.
Workarounds
- Deactivate the PublishPress Future plugin until a patched version is installed if delegated shortcode use is in production.
- Enforce a strict Content Security Policy that disables inline event handlers and inline scripts to neutralize injected payloads.
- Limit administrator accounts and require multi-factor authentication to reduce the chance of attacker-controlled accounts authoring malicious shortcodes.
# Configuration example: WordPress CLI commands to inventory and disable the plugin
wp plugin list --name=post-expirator --fields=name,status,version
wp plugin deactivate post-expirator
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[futureaction%wrapper=%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
