CVE-2026-1905 is a stored Cross-Site Scripting vulnerability identified in the Sphere Manager plugin for WordPress, specifically affecting all versions up to and including 1.0.2. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the 'width' parameter in the 'show_sphere_image' shortcode is not adequately sanitized or escaped before being rendered. This allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed with the victim's privileges. The vulnerability is network exploitable (AV:N), requires low attack complexity (AC:L), and privileges at the contributor level (PR:L), but does not require user interaction (UI:N). The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. The CVSS v3.1 base score is 6.4, reflecting a medium severity level with partial confidentiality and integrity impacts but no availability impact. No patches or known exploits are currently reported, but the risk remains significant due to the widespread use of WordPress and the plugin’s role in content management. The vulnerability highlights the importance of input validation and output encoding in plugin development to prevent stored XSS attacks.

The primary impact of CVE-2026-1905 is the potential for attackers with Contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users viewing those pages. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement of website content, or redirection to malicious sites. Confidentiality is compromised as attackers can steal sensitive user data or authentication tokens. Integrity is affected because attackers can alter page content or user interactions. Availability is not directly impacted. For organizations, this can result in reputational damage, loss of user trust, and potential regulatory consequences if user data is exposed. Since exploitation requires authenticated access, insider threats or compromised contributor accounts are primary vectors. The vulnerability is particularly concerning for multi-user WordPress environments such as corporate blogs, news sites, or community portals where contributors are common. Without mitigation, attackers can leverage this vulnerability to escalate privileges or conduct broader attacks within the affected site.

1. Immediately restrict Contributor-level user privileges to trusted individuals and review all contributor accounts for suspicious activity. 2. Disable or remove the Sphere Manager plugin if it is not essential to reduce the attack surface. 3. Implement strict input validation and output encoding for the 'width' parameter in the 'show_sphere_image' shortcode, ensuring all user-supplied data is sanitized before rendering. 4. Monitor WordPress pages for unexpected or suspicious script tags or injected content, using security plugins or manual audits. 5. Employ a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting this plugin. 6. Keep all WordPress core, themes, and plugins up to date and watch for official patches or updates from devmw addressing this vulnerability. 7. Educate contributors about safe content practices and the risks of injecting untrusted code. 8. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. 9. Regularly back up website content to enable quick restoration if an attack occurs. 10. Conduct periodic security assessments focusing on plugin vulnerabilities and user privilege management.