CVE-2026-1823 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Consensus Embed plugin for WordPress, specifically in all versions up to and including 1.6. The root cause is insufficient sanitization and escaping of user-supplied input within the plugin's consensus shortcode attributes. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk especially on sites where multiple users have contributor or higher roles. The plugin is widely used in WordPress environments that embed consensus content, making the vulnerability relevant to many organizations relying on this plugin for content integration. The lack of a patch link suggests that users must monitor vendor updates or implement manual mitigations.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the browsers of site visitors or other users. This can lead to theft of sensitive information such as authentication cookies, enabling session hijacking and impersonation. Attackers might also perform unauthorized actions on behalf of other users, compromising data integrity. While availability is not directly affected, the breach of confidentiality and integrity can damage organizational reputation and user trust. For organizations with multiple contributors or collaborative content creation workflows, this vulnerability increases the attack surface. Exploitation could facilitate further attacks such as phishing, malware distribution, or lateral movement within the network. Given the widespread use of WordPress and the Consensus Embed plugin, the vulnerability could affect a large number of websites globally, especially those that do not restrict contributor permissions or fail to monitor plugin security updates.

Organizations should immediately review user roles and permissions to limit contributor-level access to trusted users only. Implement strict input validation and output escaping for any user-generated content, especially in shortcodes or plugin inputs. Monitor for plugin updates from consensusintegrations and apply patches promptly once available. In the absence of an official patch, consider disabling or removing the Consensus Embed plugin if it is not critical. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting the consensus shortcode. Conduct regular security audits and penetration testing focusing on user input handling in WordPress plugins. Educate content contributors about safe content practices and the risks of injecting untrusted code. Additionally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites, mitigating the impact of potential XSS attacks.