CVE-2026-1915 is a stored Cross-Site Scripting vulnerability identified in the Simple Plyr plugin for WordPress, developed by bestony. The vulnerability exists in all versions up to and including 0.0.1 due to insufficient sanitization and escaping of the 'poster' parameter within the 'plyr' shortcode. This parameter accepts user input that is directly embedded into web pages without proper neutralization, enabling attackers with Contributor-level or higher privileges to inject arbitrary JavaScript code. Since the injected scripts are stored persistently, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability requires authenticated access but no user interaction, making it a significant risk within environments where multiple users have content editing rights. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and partial impact on confidentiality and integrity. No patches or known exploits are currently available, indicating the need for immediate attention from site administrators. The vulnerability falls under CWE-79, highlighting improper input neutralization during web page generation as the root cause.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Simple Plyr plugin on WordPress platforms. Exploitation could lead to unauthorized script execution, resulting in session hijacking, data theft, or defacement of web content. This can damage organizational reputation, lead to data breaches involving user information, and potentially facilitate further attacks such as privilege escalation or lateral movement within internal networks. Given that the exploit requires authenticated access at Contributor level or above, organizations with multiple content editors or contributors are at higher risk. The impact is especially critical for sectors relying heavily on web presence and user trust, such as e-commerce, media, and public services. Additionally, the cross-site scripting vulnerability could be leveraged to bypass security controls or inject malicious payloads that affect visitors or administrators, increasing the attack surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation.

Organizations should immediately audit their WordPress installations to identify the presence of the Simple Plyr plugin and verify the version in use. Since no official patches are currently available, administrators should consider temporarily disabling the plugin or restricting Contributor-level access until a fix is released. Implementing strict input validation and output encoding on the 'poster' parameter can mitigate the risk; this may involve custom code or web application firewall (WAF) rules to detect and block malicious payloads targeting this parameter. Additionally, monitoring logs for unusual activity related to shortcode usage or unexpected script injections can help detect exploitation attempts early. Educating content contributors about safe input practices and limiting the number of users with editing privileges reduces the attack surface. Finally, organizations should subscribe to security advisories from WordPress and bestony to apply patches promptly once available.