WWordPress Vulnerability Database

Protecting Users from XSS in Wikiloops Player(CVE20261611)

Cross Site Scripting (XSS) in WordPress Wikiloops Track Player Plugin
0
Shares
0
0
0
0
Plugin Name Wikiloops Track Player
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-1611
Urgency Low
CVE Publish Date 2026-02-08
Source URL CVE-2026-1611

Wikiloops Track Player (≤ 1.0.1) — Authenticated Contributor Stored XSS (CVE-2026-1611)

Published: 6 Feb, 2026   |   Severity: Low (Patch priority: Low) — CVSS: 6.5   |   CVE: CVE-2026-1611

Affected plugin: Wikiloops Track Player (versions ≤ 1.0.1)   |   Required privilege for exploitation: Contributor (authenticated)

Executive summary

A stored cross-site scripting (XSS) vulnerability in Wikiloops Track Player (≤ 1.0.1) permits an authenticated user with Contributor-level privileges to inject JavaScript into shortcode-rendered content. The payload is persistent and executes in the browser of any visitor who views the compromised page. Exploitation requires only a Contributor account to introduce the payload; impact depends on victims visiting the affected pages.

Stored XSS is a potent class of vulnerability. Although this finding is rated Low/Moderate by score, site operators should act to reduce exposure, especially on multi-author sites and community platforms where contributor accounts are common.

What is stored XSS via shortcode? The technical picture

WordPress shortcodes accept attributes and content from post editors and render HTML on the front end. A stored XSS via shortcode arises when:

  • Shortcode input (attributes or enclosed content) can be supplied by an authenticated user (here, a Contributor),
  • That input is saved in the database (post_content, post_meta, or custom tables),
  • The plugin renders the saved input without correct output encoding or sanitization,
  • JavaScript payloads (for example #is', '', $content ); // Remove on* attributes (onclick=, onerror=) $content = preg_replace_callback( '#(<[a-z0-9]+\b[^>]*?)\s+on[a-z]+\s*=\s*(["\']).*?\2#is', function( $matches ) { return $matches[1]; }, $content ); } return $content; } ?>

    This prevents future storage of script tags from targeted roles. It does not retroactively clean existing content.

  • Override the shortcode handler: Remove the plugin’s handler and register a wrapper that sanitises attributes and enclosed content before rendering.

     '',
                'height' => '',
                'width'  => '',
            );
            $atts = shortcode_atts( $allowed_atts, $atts, 'wikiloops_track' );
            foreach ( $atts as $k => $v ) {
                $atts[ $k ] = sanitize_text_field( $v );
            }
            $safe_content = wp_kses_post( $content );
            if ( is_callable( $orig ) ) {
                $output = call_user_func( $orig, $atts, $safe_content );
                $output = preg_replace( '#.*?#is', '', $output );
                return $output;
            }
            return '
    ' . esc_html( $safe_content ) . '
    ';
        } );
    }
}
?>

    This wrapper sanitises attributes and content, and strips