CVE-2026-1575 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Schema Shortcode plugin for WordPress, developed by jeric_izon. The vulnerability exists in all versions up to and including 1.0 and is due to improper neutralization of input during web page generation, specifically within the 'itemscope' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who views the infected page, potentially enabling session hijacking, defacement, or unauthorized actions on behalf of users. The vulnerability is exploitable remotely over the network without user interaction but requires some level of authentication (contributor or above). The CVSS v3.1 score of 6.4 reflects a medium severity with low attack complexity but limited privileges required. No patches or exploits are currently publicly available, but the vulnerability's presence in a widely used CMS plugin poses a significant risk if left unaddressed.

The impact of CVE-2026-1575 is primarily on the confidentiality and integrity of WordPress sites using the Schema Shortcode plugin. Successful exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or content manipulation. This can erode user trust, damage brand reputation, and lead to regulatory compliance issues if sensitive data is compromised. Since the vulnerability requires contributor-level access, attackers must first gain some authenticated foothold, which may be feasible through social engineering or compromised accounts. The scope includes all websites running the vulnerable plugin version, which may be numerous given WordPress's popularity. Although availability is not directly impacted, the indirect consequences of injected scripts could include site defacement or redirection to malicious sites, causing operational disruption.

To mitigate CVE-2026-1575, organizations should immediately update the Schema Shortcode plugin to a patched version once released by the vendor. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implement strict role-based access controls to limit contributor-level privileges and monitor for suspicious account activity. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'itemscope' shortcode attributes. Conduct thorough input validation and output encoding on any user-generated content, especially shortcodes. Regularly audit WordPress plugins for vulnerabilities and maintain an inventory of installed components. Additionally, educate content contributors about safe content practices and monitor site pages for unexpected script injections or anomalies.