CVE-2026-1915 is a stored cross-site scripting vulnerability identified in the Simple Plyr plugin for WordPress, a multimedia player plugin used to embed video and audio content. The vulnerability exists in all versions up to and including 0.0.1 due to insufficient sanitization and escaping of the 'poster' parameter within the 'plyr' shortcode. This parameter accepts user input that is embedded directly into web pages without proper neutralization, enabling authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. Because the malicious script is stored persistently, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability requires no user interaction but does require authenticated access, limiting the attack surface to users with some level of trust on the site. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No patches or exploit code are currently publicly available, but the vulnerability is classified as medium severity due to the potential for privilege escalation and persistent script execution. The plugin’s widespread use in WordPress sites, especially those with multiple contributors, increases the risk of exploitation if left unmitigated.

The primary impact of this vulnerability is the potential for persistent cross-site scripting attacks, which can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, and defacement of websites. Since the vulnerability requires Contributor-level access, attackers must already have some level of trust or access to the site, but can leverage this to escalate privileges or compromise higher-privileged users such as administrators. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire site or user base. For organizations, exploitation could result in data breaches, loss of user trust, reputational damage, and compliance violations. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure. Sites with multiple contributors or open registration are particularly vulnerable, as malicious actors may create accounts to exploit this flaw. The impact is primarily on confidentiality and integrity, with no direct availability impact.

To mitigate this vulnerability, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only and audit existing user accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'poster' parameter can provide temporary protection. Site administrators should also sanitize and validate all user inputs rigorously, especially those used in shortcodes or embedded content. Reviewing and hardening WordPress security settings, such as disabling untrusted shortcode usage or limiting plugin capabilities, can reduce attack surface. Regular security scanning and monitoring for anomalous script injections or unusual user behavior can help detect exploitation attempts early. Educating contributors about secure content practices and the risks of injecting untrusted content is also recommended. Finally, consider isolating or sandboxing plugin output where feasible to limit script execution impact.