CVE-2026-5715 Overview
CVE-2026-5715 is a Stored Cross-Site Scripting (XSS) vulnerability in the Voyage Plus plugin for WordPress. The flaw affects all versions up to and including 1.0.6 and resides in the handling of the class attribute of the post-content shortcode. The plugin fails to sanitize user-supplied attributes and does not properly escape them on output, allowing script injection into rendered pages.
Authenticated users with contributor-level access or higher can inject arbitrary JavaScript that executes in the browser of any visitor who loads the affected page. The issue is tracked under [CWE-79] and was reported through the Wordfence vulnerability disclosure program.
Critical Impact
Contributor-level attackers can inject persistent JavaScript that executes against site administrators and visitors, enabling session hijacking, redirection, and privilege escalation chains.
Affected Products
- Voyage Plus plugin for WordPress, all versions through 1.0.6
- WordPress sites permitting contributor-level account registration
- WordPress installations using the post-content shortcode from Voyage Plus
Discovery Timeline
- 2026-05-12 - CVE-2026-5715 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-5715
Vulnerability Analysis
The vulnerability is a Stored Cross-Site Scripting (XSS) flaw classified under [CWE-79]. It exists in the shortcode handler defined in inc/shortcodes.php at line 194 of the Voyage Plus plugin, as referenced in the WordPress Plugin Code Review.
The post-content shortcode accepts a class attribute intended to apply CSS classes to the rendered output. The plugin passes this attribute directly into HTML markup without applying WordPress sanitization helpers such as sanitize_html_class() or escaping the value with esc_attr() on output. Because the value is rendered inside an HTML attribute context, an attacker can break out of the attribute using quote characters and inject arbitrary script tags or event handlers.
The payload is stored persistently in post content, executing for any subsequent visitor including administrators. The attack proceeds over the network and requires low-complexity authenticated access at the contributor tier.
Root Cause
The root cause is insufficient input sanitization and missing output escaping on a user-controlled shortcode attribute. WordPress contributors can author posts containing shortcodes, and the plugin trusts the supplied class value without validation.
Attack Vector
An authenticated contributor crafts a post containing the post-content shortcode with a malicious class attribute. The payload breaks out of the attribute and injects JavaScript. When an editor, administrator, or site visitor loads the post, the script executes in their session context, enabling cookie theft, forced administrative actions through cross-site request forgery, or account takeover.
No verified public exploit code is available. The vulnerability mechanism is documented in the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-5715
Indicators of Compromise
- Posts or pages containing the [post-content] shortcode with unusual characters such as ", <, >, or onerror= inside the class attribute
- Outbound browser requests from admin sessions to unfamiliar domains after viewing contributor-authored content
- Unexpected creation of administrator accounts or modification of plugin/theme files following contributor activity
Detection Strategies
- Scan the wp_posts table for shortcode patterns containing script tags or HTML metacharacters within shortcode attributes
- Review web server logs for POST requests to /wp-admin/post.php from contributor accounts followed by visits to those posts by privileged users
- Audit Voyage Plus plugin versions across managed WordPress sites and flag any instance at or below 1.0.6
Monitoring Recommendations
- Enable WordPress audit logging to track post creation and edits by contributor-level accounts
- Monitor for new contributor or author registrations on sites where open registration is enabled
- Alert on administrator session anomalies such as unexpected user-agent changes or API calls originating from browser sessions
How to Mitigate CVE-2026-5715
Immediate Actions Required
- Update the Voyage Plus plugin to a version above 1.0.6 once the vendor releases a patched build
- Audit existing posts authored by contributors for the post-content shortcode and remove suspicious class attribute values
- Temporarily restrict contributor role assignments and disable open registration on production sites until the plugin is updated
Patch Information
At the time of publication, the vulnerability affects all versions through 1.0.6. Administrators should consult the Wordfence Vulnerability Report and the WordPress Plugin Development Code repository for fixed release availability.
Workarounds
- Deactivate the Voyage Plus plugin until a patched version is available
- Apply a web application firewall rule that blocks HTML metacharacters in shortcode attribute values submitted through post content
- Reduce contributor privileges or require editor review before publishing posts that contain the post-content shortcode
# Configuration example: list WordPress sites running vulnerable Voyage Plus versions
wp plugin list --name=voyage-plus --fields=name,status,version --allow-root
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
