CVE-2026-1886 is a stored cross-site scripting (XSS) vulnerability identified in the Go Night Pro | WordPress Dark Mode Plugin, developed by hrs2015, affecting all versions up to and including 1.1.0. The vulnerability stems from improper neutralization of user input (CWE-79) specifically in the 'margin' attribute of the plugin's 'go-night-pro-shortcode' shortcode. The plugin fails to adequately sanitize and escape this attribute, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into WordPress pages. Because the injected scripts are stored persistently within the page content, they execute automatically whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability requires authenticated access but no user interaction beyond viewing the page. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow shortcode attributes to be user-controlled and rendered without proper escaping.

The impact of CVE-2026-1886 is significant for organizations using the affected WordPress plugin, particularly those with multiple contributors or editors who have authenticated access. Successful exploitation enables attackers to inject persistent malicious scripts that execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed with victim user privileges, defacement, or distribution of malware. Since the vulnerability requires contributor-level access, it could be exploited by malicious insiders or compromised contributor accounts. The scope change means that the attack can affect other components or users beyond the plugin itself, potentially compromising the confidentiality and integrity of site content and user data. Although availability impact is low, the reputational damage and potential data breaches can be severe. Organizations relying on this plugin for site appearance and user experience may face increased risk of targeted attacks, especially in sectors with high-value content or sensitive user information.

To mitigate CVE-2026-1886, organizations should immediately upgrade the Go Night Pro plugin to a fixed version once available from the vendor. Until a patch is released, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in shortcode attributes can provide temporary protection. Site administrators should also enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly scanning site content for injected scripts and monitoring logs for unusual shortcode usage can help detect exploitation attempts. Developers maintaining the plugin should apply proper input validation and output encoding on all shortcode attributes, especially those that accept user input. Finally, educating contributors about the risks of injecting untrusted content and enforcing strict content review policies can reduce the attack surface.