CVE-2026-2121 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Weaver Show Posts plugin for WordPress, affecting all versions up to and including 1.8.1. The root cause is insufficient sanitization and escaping of the 'add_class' parameter, which is user-supplied and incorporated into web pages without proper neutralization. This flaw enables authenticated attackers with Administrator-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. The injected scripts execute whenever any user views the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. This vulnerability is particularly relevant in multisite WordPress installations where administrators do not have the unfiltered_html capability, as it restricts their ability to safely manage HTML content, increasing the risk of exploitation. The CVSS 3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a candidate for future exploitation. The lack of a patch link suggests that remediation may require plugin updates or manual mitigation steps.

The primary impact of this vulnerability is the potential for stored XSS attacks that can compromise the confidentiality and integrity of user data. Attackers with administrator privileges can inject malicious scripts that execute in the context of any user visiting the infected page, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. While availability is not affected, the breach of trust and data integrity can damage organizational reputation and lead to compliance violations. Multisite WordPress environments are especially at risk, as the vulnerability exploits the limited capabilities of administrators without unfiltered_html rights. Organizations relying on the Weaver Show Posts plugin may face targeted attacks if adversaries gain administrator access, which could be leveraged to escalate privileges or pivot within the network. Although no known exploits are currently active, the medium severity and ease of script injection warrant prompt attention to avoid future exploitation.

Organizations should immediately verify if they use the Weaver Show Posts plugin version 1.8.1 or earlier, particularly in multisite WordPress installations. Since no official patch link is provided, administrators should monitor the vendor's updates and apply patches as soon as they become available. In the interim, restrict administrator privileges to trusted users only and review user roles to minimize the number of users with high-level access. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'add_class' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly audit plugin usage and consider disabling or replacing vulnerable plugins with more secure alternatives. Additionally, enable logging and monitoring for unusual administrative activities and injected content. Educate administrators about the risks of injecting untrusted content and enforce strict input validation and output encoding practices in custom code.