{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1889", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T14:26:10.210Z", "datePublished": "2026-03-21T03:26:38.442Z", "dateUpdated": "2026-04-08T16:43:24.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:24.505Z"}, "affected": [{"vendor": "outgrow", "product": "Outgrow", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29e9ad80-6a02-494a-9d53-0f14728952aa?source=cve"}, {"url": "https://wordpress.org/plugins/outgrow/"}, {"url": "https://plugins.trac.wordpress.org/browser/outgrow/trunk/newOutgrow.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/outgrow/tags/2.1/newOutgrow.php#L87"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-03-20T15:08:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T18:07:48.044564Z", "id": "CVE-2026-1889", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:08:37.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1889", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T18:07:48.044564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:08:25.220Z"}}], "cna": {"title": "Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "outgrow", "product": "Outgrow", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:08:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29e9ad80-6a02-494a-9d53-0f14728952aa?source=cve"}, {"url": "https://wordpress.org/plugins/outgrow/"}, {"url": "https://plugins.trac.wordpress.org/browser/outgrow/trunk/newOutgrow.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/outgrow/tags/2.1/newOutgrow.php#L87"}], "descriptions": [{"lang": "en", "value": "The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:24.505Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1889", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:24.505Z", "dateReserved": "2026-02-04T14:26:10.210Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:38.442Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Outgrow para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del atributo 'id' del shortcode 'outgrow' en todas las versiones hasta la 2.1, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1889", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:55.703", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/outgrow/tags/2.1/newOutgrow.php#L87"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/outgrow/trunk/newOutgrow.php#L87"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/outgrow/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29e9ad80-6a02-494a-9d53-0f14728952aa?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Outgrow", "source": "cna", "vendor": "outgrow"}, "product": "outgrow", "vendor": "outgrow"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:27:05.436344+00:00", "value": {"mitigation_remediation": ["Upgrade the Outgrow plugin to a version newer than 2.1, if an update exists.", "If an upgrade is not immediately possible, block or remove the plugin from production until a patch is available.", "Restrict contributor-level permissions or remove users who no longer require such access.", "Regularly audit and monitor for unexpected content changes within pages that use the 'outgrow' shortcode, and consider implementing a web application firewall rule to block JavaScript injections."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via authenticated contributor-level access."}, "threat_synthesis": {"affected_systems": "Any WordPress installation that uses the Outgrow plugin in a version 2.1 or earlier is affected. The plugin is named 'Outgrow' and is distributed under the 'outgrow:Outgrow' vendor/package. All users who have contributor or higher roles on the site are at risk. Older WordPress sites or environments that still run these legacy plugin versions should consider them vulnerable.", "description_and_impact": "The vulnerability resides in the Outgrow WordPress plugin and allows an attacker who has at least contributor privileges to inject malicious JavaScript into the 'id' attribute of the 'outgrow' shortcode. Because the plugin fails to sanitize and escape this input, the script is stored in the database and executed whenever a user views a page that contains the shortcode. This stored cross\u2011site scripting can lead to session hijacking, defacement, or delivery of malware to site visitors.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 6.4, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need authenticated access with contributor-level rights, which limits the potential attackers to site administrators or trusted contributors. Nevertheless, once the malicious payload is injected it affects all visitors to the affected pages, providing a high impact vector. Organizers should treat the risk as moderate but actionable."}}}}, "created": "2026-03-23T09:50:54.134610+00:00", "updated": "2026-03-25T14:42:28.603643+00:00", "vendors": ["outgrow", "outgrow$PRODUCT$outgrow", "wordpress", "wordpress$PRODUCT$wordpress"]}