CVE-2026-1097 is a stored cross-site scripting (XSS) vulnerability identified in the ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress, which enables multiple authors to be assigned to posts. The vulnerability exists in all versions up to and including 1.0.0 due to insufficient sanitization and escaping of user-supplied input in the 'before' and 'after' shortcode attributes. Authenticated attackers with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into posts or pages. Because the injected scripts are stored persistently, they execute in the browsers of any users who view the affected content, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is exploitable remotely over the network without user interaction, and the attack complexity is low, making it relatively straightforward for attackers with the required privileges to exploit. The vulnerability impacts confidentiality and integrity but does not affect availability. No patches have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability is tracked under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. The plugin is used in WordPress environments, which are widely deployed globally, especially in content-heavy websites and blogs.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites and their users. Attackers can execute arbitrary JavaScript in the context of the vulnerable site, enabling session hijacking, credential theft, or unauthorized actions such as content manipulation or privilege escalation. This can lead to compromised user accounts, defacement of websites, or further exploitation of the underlying infrastructure. Since the vulnerability requires authenticated access at Contributor level or above, it primarily threatens sites with multiple authors or contributors, common in media, publishing, and collaborative platforms. The scope includes all users who view the injected content, potentially affecting site visitors and administrators alike. Although availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences for organizations. The medium CVSS score reflects a moderate risk, but the ease of exploitation by insiders or compromised accounts increases the threat level. Organizations relying on this plugin without mitigation are exposed to targeted attacks, especially in environments with multiple content contributors.

1. Immediate mitigation involves restricting Contributor-level user permissions and auditing existing user roles to minimize the number of users who can inject shortcode attributes. 2. Disable or remove the ThemeRuby Multi Authors plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs containing script tags or event handlers. 4. Conduct thorough input validation and output escaping for all shortcode attributes in custom themes or plugins to prevent XSS. 5. Monitor logs for unusual activity related to shortcode usage or content modifications by contributors. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Once available, promptly apply official patches or updates from the vendor. 8. Consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site. 9. Regularly back up website data to enable recovery in case of compromise. 10. Perform security scans and penetration tests focusing on shortcode and plugin vulnerabilities.