{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5748", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-07T15:09:42.695Z", "datePublished": "2026-04-22T07:45:39.662Z", "dateUpdated": "2026-04-22T15:31:23.711Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:39.662Z"}, "affected": [{"vendor": "snedled", "product": "Text Snippets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Text Snippets <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cc7a0f3-6a58-4e42-9341-aecf55d2ccb1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/text-snippet/tags/0.0.1/text-snippet.php#L78"}, {"url": "https://plugins.trac.wordpress.org/browser/text-snippet/trunk/text-snippet.php#L78"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "nail majdeddine"}], "timeline": [{"time": "2026-04-21T19:02:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:26:29.296127Z", "id": "CVE-2026-5748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:31:23.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:26:29.296127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:26:32.924Z"}}], "cna": {"title": "Text Snippets <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "nail majdeddine"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "snedled", "product": "Text Snippets", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T19:02:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cc7a0f3-6a58-4e42-9341-aecf55d2ccb1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/text-snippet/tags/0.0.1/text-snippet.php#L78"}, {"url": "https://plugins.trac.wordpress.org/browser/text-snippet/trunk/text-snippet.php#L78"}], "descriptions": [{"lang": "en", "value": "The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:39.662Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5748", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:31:23.711Z", "dateReserved": "2026-04-07T15:09:42.695Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-22T07:45:39.662Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-5748", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:25.700", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-snippet/tags/0.0.1/text-snippet.php#L78"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-snippet/trunk/text-snippet.php#L78"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cc7a0f3-6a58-4e42-9341-aecf55d2ccb1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Text Snippets", "source": "cna", "vendor": "snedled"}, "product": "text_snippets", "vendor": "snedled"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:36:34.856088+00:00", "value": {"mitigation_remediation": ["Upgrade the Text Snippets plugin to the newest version available that addresses the XSS flaw, if such a release exists.", "If upgrading is not possible, restrict contributor\u2011level or higher WordPress roles from using or editing snippets that employ the vulnerable \u2018ts\u2019 shortcode, or remove that shortcode entirely from public content.", "Sanitize or escape all user inputs to the \u2018ts\u2019 shortcode and review the plugin\u2019s code to ensure proper output escaping before deployment."], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the snedled:Text Snippets WordPress plugin. All released versions of the plugin up to and including 0.0.1 are impacted. No other WordPress core or plugin versions are listed as affected.", "description_and_impact": "The Text Snippets plugin contains a stored cross\u2011site scripting flaw in the \u2018ts\u2019 shortcode that arises from inadequate input sanitization and output escaping of user\u2011supplied attributes. The problem is a typical CWE\u201179 vulnerability that lets attackers inject arbitrary JavaScript which will run in the browsers of any user who views the affected page. This can lead to theft of session cookies, defacement, or redirection to malicious sites. The risk is limited to the context of the WordPress site where the plugin is installed, but it can be leveraged to compromise all visitors who access the injected content.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. EPSS data is not available, and the advisory is not listed in the CISA KEV catalog. The flaw requires the attacker to have at least contributor\u2011level authentication, meaning the attacker must log in with a WordPress account that has permission to add or edit snippets. Once authenticated, the attacker can embed malicious code that will execute in the browsers of all users who open the injected page. Because it is an authenticated attack vector, mitigation through role management or strict permission handling can reduce exploitation risk, but the most secure remedy is to patch or remove the vulnerable plugin."}}}}, "created": "2026-04-22T09:45:13.082797+00:00", "title": "Text Snippets 0.0.1 Stored XSS via \u2019w\u2019 Shortcode Attribute", "updated": "2026-04-22T11:43:58.812903+00:00", "vendors": ["snedled", "snedled$PRODUCT$text_snippets", "wordpress", "wordpress$PRODUCT$wordpress"]}