CVE-2026-1851 is a stored cross-site scripting vulnerability identified in the iVysilani Shortcode plugin for WordPress, developed by deckercz. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'width' shortcode attribute. All versions up to and including 3.0 are affected. The root cause is insufficient input sanitization and lack of proper output escaping, which allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who visits the infected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity and privileges required are low (authenticated contributor). The scope is changed as the vulnerability affects the confidentiality and integrity of data across the WordPress site. No patches have been linked yet, and no known exploits are reported in the wild. The vulnerability was reserved in early February 2026 and published in March 2026.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of user data on affected WordPress sites. Attackers can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of users without their consent. This can lead to account takeover, defacement, or further exploitation of the site. Since the vulnerability requires authenticated access at Contributor level or above, attackers must first gain some level of access, but many WordPress sites allow user registrations with such privileges, increasing risk. The stored nature of the XSS means the malicious payload persists and affects all visitors to the compromised pages, amplifying the impact. For organizations relying on the iVysilani Shortcode plugin, this can result in reputational damage, loss of user trust, and potential regulatory consequences if user data is exposed. The medium severity score reflects a moderate but significant risk, especially for high-traffic or sensitive websites.

To mitigate this vulnerability, organizations should immediately review user roles and restrict Contributor-level access to trusted users only. Implement strict input validation and output encoding for all shortcode attributes, especially the 'width' attribute, to prevent injection of malicious scripts. Until an official patch is released, consider disabling or removing the iVysilani Shortcode plugin to eliminate the attack surface. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs. Regularly audit WordPress plugins for updates and security advisories. Additionally, monitor site content for unexpected script injections and conduct periodic security scans. Educate site administrators and users about the risks of XSS and the importance of least privilege principles. Once a patch is available, apply it promptly and verify the fix by testing the shortcode inputs for proper sanitization.