CVE-2026-5717: VI Include Post By Plugin XSS Vulnerability

CVE-2026-5717 Overview

The VI: Include Post By plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the class_container attribute of the include-post-by-cat shortcode. All versions up to and including 0.4.200706 are affected due to insufficient input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.

Critical Impact

Authenticated attackers with contributor privileges can inject persistent malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or malware distribution.

Affected Products

• VI: Include Post By plugin for WordPress versions up to and including 0.4.200706

Discovery Timeline

• April 15, 2026 - CVE-2026-5717 published to NVD
• April 15, 2026 - Last updated in NVD database

Technical Details for CVE-2026-5717

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability exists within the shortcode processing functionality of the VI: Include Post By WordPress plugin. The plugin provides the include-post-by-cat shortcode that allows content authors to dynamically include posts based on category. The vulnerability stems from the improper handling of the class_container attribute, which is rendered in the HTML output without adequate sanitization or encoding.

When a user with contributor-level access creates or edits a post containing the vulnerable shortcode with a malicious payload in the class_container attribute, the injected script is stored in the WordPress database. Subsequently, when any visitor views the affected page, the malicious script executes in their browser context with the privileges of the current session.

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), as the plugin fails to properly neutralize user-controlled input before including it in dynamically generated web pages.

Root Cause

The root cause is insufficient input sanitization and output escaping in the shortcode handler function. The class_container attribute value is accepted from user input and directly rendered into the HTML output without being passed through WordPress's built-in escaping functions such as esc_attr() or wp_kses(). This oversight allows specially crafted attribute values containing JavaScript code to be interpreted as executable script by the browser.

Attack Vector

The attack requires authenticated access with at least contributor-level privileges to the WordPress installation. An attacker crafts a post or page containing the include-post-by-cat shortcode with malicious JavaScript embedded within the class_container attribute. Once the content is published or previewed, any user visiting the page will have the malicious script executed in their browser.

The vulnerability is exploitable via the network without user interaction beyond visiting the compromised page. Since the payload is stored server-side, it persists across sessions and affects all visitors to the infected page.

For technical details on the vulnerable code path, refer to the WordPress Plugin Code Review showing line 809 of the plugin source code where the vulnerability manifests.

Detection Methods for CVE-2026-5717

Indicators of Compromise

• Presence of posts or pages containing include-post-by-cat shortcodes with suspicious JavaScript or event handlers in the class_container attribute
• Unexpected script tags or event handler attributes (onclick, onerror, onload) within post content
• User reports of browser warnings or unexpected behavior when viewing specific pages
• Audit logs showing contributor-level users creating content with unusual shortcode attributes

Detection Strategies

• Implement content security policy (CSP) headers to detect and block inline script execution attempts
• Review WordPress database for stored content containing potential XSS payloads in shortcode attributes
• Deploy web application firewall (WAF) rules to detect malicious patterns in shortcode attributes
• Enable WordPress audit logging to track content modifications by contributor-level users

Monitoring Recommendations

• Monitor access logs for unusual patterns following visits to pages using the VI: Include Post By plugin
• Implement browser-based XSS detection through CSP violation reporting
• Regularly scan WordPress content database for known XSS payload patterns
• Alert on content modifications that include JavaScript keywords within shortcode attributes

How to Mitigate CVE-2026-5717

Immediate Actions Required

• Audit all existing posts and pages using the include-post-by-cat shortcode for potentially malicious class_container values
• Consider temporarily deactivating the VI: Include Post By plugin until a patched version is available
• Review user accounts with contributor-level access and above for any unauthorized activity
• Implement a web application firewall with XSS protection rules

Patch Information

At the time of publication, users should check the Wordfence Vulnerability Report for the latest remediation guidance and patch availability. Monitor the official WordPress plugin repository for updated versions that address this vulnerability.

Workarounds

• Restrict contributor-level access to trusted users only until a patch is available
• Implement server-side input validation to strip JavaScript from shortcode attributes
• Deploy Content Security Policy headers to prevent inline script execution
• Use a WordPress security plugin to scan and sanitize stored content

# Add Content Security Policy header to wp-config.php or .htaccess
# Apache configuration example
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"

# Or add to WordPress using functions.php
# add_action('send_headers', function() {
#     header("Content-Security-Policy: script-src 'self'; object-src 'none';");
# });