The Orbisius Random Name Generator plugin for WordPress, versions up to and including 1.0.2, contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-1893. This vulnerability stems from insufficient sanitization and escaping of the 'btn_label' parameter used within the 'orbisius_random_name_generator' shortcode. Specifically, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into the plugin's output. When other users access pages containing the injected shortcode, the malicious scripts execute in their browsers. This flaw is categorized under CWE-79, indicating improper neutralization of input during web page generation. The vulnerability does not require user interaction to trigger once the malicious content is stored and viewed, and it allows attackers to compromise confidentiality and integrity by potentially stealing session tokens, defacing content, or performing unauthorized actions on behalf of users. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No official patches have been published yet, and no known exploits are reported in the wild. However, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can lead to session hijacking, defacement, or unauthorized actions performed in the context of affected users. Since the attack requires authenticated Contributor-level access, the threat is elevated in environments with multiple content creators or editors. Confidentiality is at risk because attackers can steal cookies or authentication tokens. Integrity can be compromised through content manipulation or injection of malicious scripts. Availability is not directly impacted. The scope is significant for WordPress sites using this plugin, particularly those with collaborative editing workflows. Exploitation could undermine user trust, lead to account compromise, or facilitate further attacks such as privilege escalation or malware distribution. Organizations relying on this plugin should consider the risk to their user base and data integrity, especially in sectors where WordPress is widely used, such as media, education, and small to medium enterprises.

Immediate mitigation involves restricting Contributor-level user permissions to trusted individuals only, minimizing the risk of malicious input injection. Site administrators should monitor and audit content submitted via the Orbisius Random Name Generator shortcode for suspicious scripts. Employing Web Application Firewalls (WAFs) with rules targeting common XSS payloads can help block exploitation attempts. Until an official patch is released, consider disabling or removing the plugin if it is not essential. For sites that must continue using the plugin, custom code modifications to sanitize and escape the 'btn_label' parameter before output can reduce risk. Additionally, implementing Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script sources. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, stay alert for vendor updates or patches addressing this vulnerability and apply them promptly once available.