{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1854", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T18:33:51.270Z", "datePublished": "2026-03-21T03:26:35.624Z", "dateUpdated": "2026-04-08T16:37:08.104Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:08.104Z"}, "affected": [{"vendor": "nosoycesaros", "product": "Post Flagger", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1653e5a9-d2bb-42e3-be0d-27356fbde2ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-flagger/trunk/post-flagger.php#L66"}, {"url": "https://wordpress.org/plugins/post-flagger/"}, {"url": "https://plugins.trac.wordpress.org/browser/post-flagger/tags/1.1/post-flagger.php#L66"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2026-03-20T15:18:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:39:26.330344Z", "id": "CVE-2026-1854", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:39:35.801Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1854", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:39:26.330344Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:39:31.860Z"}}], "cna": {"title": "Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "nosoycesaros", "product": "Post Flagger", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:18:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1653e5a9-d2bb-42e3-be0d-27356fbde2ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-flagger/trunk/post-flagger.php#L66"}, {"url": "https://wordpress.org/plugins/post-flagger/"}, {"url": "https://plugins.trac.wordpress.org/browser/post-flagger/tags/1.1/post-flagger.php#L66"}], "descriptions": [{"lang": "en", "value": "The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:08.104Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1854", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:08.104Z", "dateReserved": "2026-02-03T18:33:51.270Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:35.624Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Post Flagger para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode 'flag' del plugin en todas las versiones hasta la 1.1, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1854", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:55.337", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-flagger/tags/1.1/post-flagger.php#L66"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-flagger/trunk/post-flagger.php#L66"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/post-flagger/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1653e5a9-d2bb-42e3-be0d-27356fbde2ce?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Post Flagger", "source": "cna", "vendor": "nosoycesaros"}, "product": "post_flagger", "vendor": "nosoycesaros"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:52:49.470030+00:00", "value": {"mitigation_remediation": ["Update the Post Flagger plugin to the latest released version if a patch is available.", "If no patched version exists, disable or remove the plugin to eliminate the vulnerability.", "Audit all posts, pages, and content that includes the flag shortcode and remove any injected scripts.", "Review the permissions granted to contributors and restrict contributor access to trusted users only."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via the 'slug' attribute (authenticated contributor+ required)"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Post Flagger plugin from nosoycesaros version 1.1 or earlier are affected. The vulnerability exists in all released versions up to 1.1 and is tied to the code that processes the shortcode in post-flagger.php. Users who have contributed content through the plugin are able to inject the malicious payload.", "description_and_impact": "The Post Flagger plugin contains a stored cross\u2011site scripting flaw in the 'flag' shortcode. The 'slug' attribute is not properly sanitized, allowing an attacker with at least contributor privileges to insert arbitrary HTML or JavaScript into post or page content. When a visitor accesses the page, the injected script runs in their browser, potentially exposing the site to further exploitation or user defacement.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog, suggesting that there is limited or no known exploitation in the wild at this time. Exploitation requires only contributor access, which is commonly granted on multi\u2011author WordPress installations. The overall risk remains moderate, but because the impact affects every visitor to affected pages, sites with high traffic or sensitive content should treat it as a priority concern."}}}}, "created": "2026-03-23T09:50:59.489148+00:00", "updated": "2026-03-25T14:42:34.539849+00:00", "vendors": ["nosoycesaros", "nosoycesaros$PRODUCT$post_flagger", "wordpress", "wordpress$PRODUCT$wordpress"]}