CVE-2026-5247 is a stored cross-site scripting vulnerability in the Schedule Post Changes With PublishPress Future WordPress plugin affecting all versions up to 4.10.0. The vulnerability arises from insufficient sanitization of the 'wrapper' attribute in the [futureaction] shortcode. The plugin uses esc_html() to escape the attribute value, which only encodes HTML entities but does not prevent injection of event handler attributes when the value is used as an HTML tag name in a sprintf() call. This allows authenticated users with administrator-level access to inject arbitrary JavaScript that executes in the context of users viewing the injected pages. The vulnerability may also be exploited by lower-privileged users if administrators enable this functionality for them.

An attacker with administrator-level privileges can inject arbitrary web scripts into pages via the 'wrapper' attribute of the [futureaction] shortcode. These scripts execute when other users access the injected pages, potentially leading to session hijacking, defacement, or other malicious actions within the context of the WordPress site. The vulnerability is limited to authenticated users with high privileges, but the risk extends to lower-privileged users if administrators enable this functionality for them. There is no indication of impact on availability or system integrity beyond the injection of malicious scripts.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict administrator access to trusted users only and avoid enabling the vulnerable shortcode functionality for lower-privileged users. Monitor plugin updates from PublishPress for a security patch addressing this issue.