The Tour & Activity Operator Plugin for TourCMS, a WordPress plugin used to manage tours and activities, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-1806. This vulnerability is due to improper neutralization of input during web page generation (CWE-79). Specifically, the 'target' parameter of the tourcms_doc_link shortcode is not properly sanitized or escaped before being rendered in the page output. As a result, authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 1.7.0 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The flaw highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that accept user-generated content or parameters.

This vulnerability can allow attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of other users visiting those pages. The impact includes potential theft of sensitive information such as authentication cookies, personal data, or other confidential information accessible via the browser context. It can also enable attackers to perform unauthorized actions on behalf of victims, such as changing user settings or escalating privileges if combined with other vulnerabilities. Although it does not directly affect availability, the compromise of user accounts or data integrity can lead to reputational damage and loss of trust for organizations using the affected plugin. Since WordPress is widely used globally, and this plugin targets tour and activity operators, businesses in the travel and tourism sector are particularly at risk. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but this does not eliminate risk, especially in environments with multiple contributors or less stringent access controls.

Organizations using the Tour & Activity Operator Plugin for TourCMS should immediately upgrade to a patched version once available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only and audit existing users for suspicious accounts. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'target' parameter can provide temporary protection. Additionally, site owners should review and sanitize all user-generated content and shortcode parameters manually if possible. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly monitor logs and user activity for signs of exploitation attempts. Developers maintaining the plugin should add proper input validation and output escaping for all shortcode parameters to prevent injection. Finally, educating contributors about the risks of injecting untrusted content can reduce accidental exploitation.