CVE-2026-1891 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Simple Football Scoreboard plugin for WordPress, developed by dogrow. The flaw exists in all versions up to and including 1.0 due to insufficient sanitization and escaping of user input in the 'ytmr_fb_scoreboard' shortcode attributes. This allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages where the shortcode is used. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, and the requirement of privileges (Contributor or higher) but no user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is unaffected. No known public exploits exist yet, but the risk remains significant for sites using this plugin, especially those with multiple contributors. The lack of patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

The primary impact of this vulnerability is the potential for attackers with Contributor-level access to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to theft of session cookies, enabling account takeover or privilege escalation, unauthorized actions performed on behalf of users, and potential defacement or misinformation on the site. While availability is not impacted, the confidentiality and integrity of user data and site content can be compromised. Organizations running WordPress sites with multiple contributors and using this plugin are at risk of internal threat exploitation or compromised contributor accounts. The vulnerability could also be leveraged as a foothold for further attacks within the WordPress environment or connected systems. The medium CVSS score reflects these moderate but meaningful risks, especially in environments with sensitive data or high user interaction.

1. Immediately restrict Contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. 2. Disable or remove the Simple Football Scoreboard plugin until a security patch is released. 3. Monitor usage of the 'ytmr_fb_scoreboard' shortcode for unusual or unexpected attribute values that may indicate attempted exploitation. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting shortcode parameters. 5. Educate contributors about safe content submission practices and the risks of injecting untrusted code. 6. Once a patch or updated plugin version is available, apply it promptly and verify that input sanitization and output escaping are properly enforced. 7. Conduct regular security audits and vulnerability scans focusing on installed WordPress plugins and user privileges. 8. Consider employing Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources.