WWordPress Vulnerability Database

Community Alert XSS in Personal Authors Plugin(CVE20261754)

Cross Site Scripting (XSS) in WordPress personal-authors-category Plugin
0
Shares
0
0
0
0
Plugin Name personal-authors-category
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-1754
Urgency High
CVE Publish Date 2026-02-16
Source URL CVE-2026-1754

Reflected XSS in personal-authors-category (<= 0.3): What site owners and developers must do now

By Hong Kong Security Expert — 2026-02-16

Executive summary

A reflected Cross-Site Scripting (XSS) vulnerability has been disclosed in the WordPress plugin personal-authors-category affecting versions <= 0.3 (CVE-2026-1754). An attacker can craft a URL that executes arbitrary JavaScript in the browser of any user who visits the link, including privileged users (administrators, editors). The vulnerability is unauthenticated and carries a CVSS base score of 7.1 due to its potential to impact confidentiality, integrity and availability following user interaction.

This advisory explains the vulnerability, likely exploitation scenarios, immediate mitigations for site owners, developer guidance to fix the root cause, and post-incident recovery steps. Test only in a controlled environment and never against systems you do not own or have permission to assess.

What is reflected XSS and why it matters

Reflected XSS occurs when an application takes untrusted input (e.g., URL query parameter or form field), includes that data in an HTTP response, and fails to properly escape or encode it. Because the injected content is not persisted, exploitation requires a victim to visit a crafted link. Once executed in the victim’s browser, the attacker’s script runs in the security context of the vulnerable site.

Consequences include:

  • Theft of session cookies or authentication tokens (especially if cookies lack HttpOnly/SameSite).
  • Unauthorized actions performed with the victim’s privileges (CSRF-like effects).
  • Phishing UI injection to capture credentials.
  • Drive-by redirects to malware or automatic payload downloads.
  • UI/content injection used for social engineering against site administrators or visitors.

Since the attack is triggered by visiting a URL, it is particularly dangerous when attackers can persuade privileged users to click links. Even limited script execution against an admin can enable privilege escalation or site takeover.

The specific issue: personal-authors-category <= 0.3

  • Plugin: personal-authors-category
  • Vulnerable versions: <= 0.3
  • Type: Reflected Cross-Site Scripting (XSS)
  • CVE: CVE-2026-1754
  • Authentication: none (unauthenticated)
  • User interaction: required (victim must click or visit crafted URL)
  • Public disclosure: 2026-02-16
  • Reported by: security researcher

At a technical level, the plugin reflects user-controlled input into page output without appropriate escaping, allowing browsers to interpret attacker-controlled JavaScript. At the time of disclosure there is no official patch available; site owners must apply mitigations immediately.

Realistic exploitation scenarios

  1. Administrator targeted via email or chat

    Attacker sends a crafted URL to an administrator. If clicked while the admin is authenticated, injected JavaScript may perform privileged actions (create users, edit content, exfiltrate configuration).

  2. Cross-site phishing

    Injected HTML can mimic login forms or plugin dialogs to harvest credentials or tokens.

  3. Automated drive-by redirection

    Visitors can be redirected to malware-hosting domains or credential-harvesting pages.

  4. Content injection for social engineering

    Attackers can inject content or adverts that harm reputation or funnel traffic to attacker-controlled sites.

How to identify whether your site is vulnerable or has been targeted

Immediate detection steps:

  • Confirm whether the plugin is installed and active: WordPress admin → Plugins → look for personal-authors-category.
  • Check the plugin version. If <= 0.3 and active, treat as vulnerable until mitigated.
  • Inspect web server and application logs for requests to plugin endpoints containing suspicious payloads: characters like <, >, %3C, script, onerror, javascript:, etc.
  • Look for unexpected admin actions (new users, post edits, plugin/theme changes) around the time of suspicious requests.
  • Scan site content and database for injected markup or