CVE-2026-1608 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Video Onclick plugin for WordPress, developed by tigor4eg. The flaw exists in all versions up to and including 0.4.7 due to insufficient sanitization and escaping of user input in the plugin's youtube shortcode attributes. This vulnerability allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored and executed whenever a user accesses the affected page, this can lead to persistent XSS attacks. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity level with an attack vector over the network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to affecting other components. The impact includes partial loss of confidentiality and integrity, as attackers could steal session cookies, perform actions on behalf of users, or manipulate page content. No known exploits have been reported in the wild, but the vulnerability poses a risk in multi-user WordPress environments where contributors can add content. The lack of official patches at the time of publication necessitates immediate mitigation steps to reduce exposure.

The primary impact of CVE-2026-1608 is the potential for attackers with contributor-level access to execute persistent XSS attacks on WordPress sites using the vulnerable Video Onclick plugin. This can lead to theft of sensitive user data such as session cookies, enabling account hijacking, unauthorized actions performed in the context of other users, and defacement or manipulation of website content. While availability is not directly affected, the integrity and confidentiality of site data and user information are at risk. Organizations with multiple content contributors or editors are particularly vulnerable, as attackers can leverage legitimate access to inject malicious scripts. This can erode user trust, cause reputational damage, and potentially lead to further compromise if attackers use the XSS vector to deliver additional payloads such as malware or phishing content. The medium CVSS score reflects that exploitation is feasible but requires authenticated access, limiting the scope somewhat but not eliminating risk in collaborative environments.

To mitigate CVE-2026-1608, organizations should first check for and apply any official patches or updates from the tigor4eg Video Onclick plugin developer once available. In the absence of patches, administrators should restrict contributor-level permissions to trusted users only and audit existing content for suspicious shortcode usage. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the youtube shortcode can provide temporary protection. Additionally, site owners can sanitize and validate all user inputs on the server side, especially those related to shortcode attributes, and apply output encoding to prevent script execution. Employing Content Security Policy (CSP) headers to restrict inline script execution and external script sources can reduce the impact of injected scripts. Regular security reviews and monitoring for unusual activity or content changes are recommended. Finally, educating content contributors about secure content practices and the risks of injecting untrusted code can help prevent exploitation.