CVE-2026-5748 is a stored cross-site scripting vulnerability in the Text Snippets WordPress plugin (snedled project) affecting all versions up to 0.0.1. The issue stems from improper neutralization of input during web page generation, specifically in the 'ts' shortcode, where user-supplied attributes are not properly sanitized or escaped. Authenticated users with contributor-level permissions or higher can exploit this to inject arbitrary JavaScript that executes in the context of other users viewing the injected pages. The vulnerability has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity without availability impact.

An attacker with contributor-level or higher privileges can inject malicious scripts into pages via the vulnerable shortcode. These scripts execute in the browsers of users who view the affected pages, potentially leading to theft of session tokens, defacement, or other actions limited by the scope of the injected script. The impact is limited to confidentiality and integrity with no direct availability impact. The vulnerability requires authenticated access, reducing its risk compared to unauthenticated XSS.

No official patch or remediation is currently available from the vendor. Users should restrict contributor-level access to trusted individuals and consider disabling or removing the Text Snippets plugin until a fix is released. Monitor the vendor's advisory channels for updates. Since this is a stored XSS vulnerability, avoid using the vulnerable shortcode with untrusted input. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.